CVE-2021-29559: TensorFlow: heap OOB read in UnicodeEncode leaks memory

HIGH PoC AVAILABLE

Published May 14, 2021

CISO Take

A heap out-of-bounds read in TensorFlow's UnicodeEncode operation lets any low-privileged local user read memory beyond allocated bounds, risking data exposure or service crash. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Risk is elevated in shared ML environments — Jupyter servers, multi-tenant training clusters — where 'local access' is not a meaningful barrier.

What is the risk?

Medium-high risk in shared ML environments. The local attack vector (AV:L) sounds limiting, but modern AI infrastructure routinely involves multi-user notebook servers, shared GPU clusters, and containerized inference endpoints where low-privilege access is common and expected. Low complexity (AC:L) and low privilege (PR:L) mean any authorized platform user can trigger it. High confidentiality impact (C:H) suggests potential exposure of in-memory training data, model weights, API keys, or pipeline credentials stored in adjacent heap allocations. Not in CISA KEV reduces urgency for isolated deployments, but shared infrastructure should treat this as high priority.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 4d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

What should I do?

6 steps

PATCH

Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the fix from commit 51300ba1cc2f.
ISOLATE

If patching is delayed, enforce per-user kernel isolation in Jupyter/notebook environments (separate containers per user).
INPUT VALIDATION

Audit all pipelines that accept external inputs routed to UnicodeEncode ops; validate sparse tensor consistency before op execution.
NETWORK SEGMENTATION

Restrict access to training/inference environments to authorized users only; enforce least-privilege on ML platform accounts.
DEFENSE IN DEPTH

Ensure OS-level memory protections (ASLR, stack canaries) are enabled on ML inference hosts.
DETECT

Alert on unexpected crashes or OOM errors in TensorFlow serving processes, which may indicate exploitation attempts.

How is it classified?

Data Extraction DoS Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

8.4 - AI system technical robustness and safety

NIST AI RMF

MS-2.5 - Measure: AI risk monitoring and testing

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-29559?

Is CVE-2021-29559 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29559, increasing the risk of exploitation.

How to fix CVE-2021-29559?

1. PATCH: Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the fix from commit 51300ba1cc2f. 2. ISOLATE: If patching is delayed, enforce per-user kernel isolation in Jupyter/notebook environments (separate containers per user). 3. INPUT VALIDATION: Audit all pipelines that accept external inputs routed to UnicodeEncode ops; validate sparse tensor consistency before op execution. 4. NETWORK SEGMENTATION: Restrict access to training/inference environments to authorized users only; enforce least-privilege on ML platform accounts. 5. DEFENSE IN DEPTH: Ensure OS-level memory protections (ASLR, stack canaries) are enabled on ML inference hosts. 6. DETECT: Alert on unexpected crashes or OOM errors in TensorFlow serving processes, which may indicate exploitation attempts.

What systems are affected by CVE-2021-29559?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing pipelines, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-29559?

CVE-2021-29559 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingdata preprocessing pipelinesmulti-tenant ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can access data outside of bounds of heap allocated array in `tf.raw_ops.UnicodeEncode`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/472c1f12ad9063405737679d4f6bd43094e1d36d/tensorflow/core/kernels/unicode_ops.cc) assumes that the `input_value`/`input_splits` pair specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with a standard data scientist account on a shared multi-user Jupyter server crafts a Python notebook that calls tf.raw_ops.UnicodeEncode with deliberately inconsistent input_value and input_splits tensors that violate sparse tensor invariants. The TensorFlow kernel, without bounds validation, reads beyond the heap-allocated array into adjacent memory regions. These regions may contain another tenant's training batch currently being processed, environment variables holding API keys or database credentials, or model weight buffers. The attacker captures the memory dump and exfiltrates sensitive data. Alternatively, a malicious model file distributed via a public repository could embed this call to trigger data leakage when a victim loads and evaluates the model.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.