AI Threat Alert AI Threat Alert

CVE-2021-29559: TensorFlow: heap OOB read in UnicodeEncode leaks memory

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A heap out-of-bounds read in TensorFlow's UnicodeEncode operation lets any low-privileged local user read memory beyond allocated bounds, risking data exposure or service crash. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Risk is elevated in shared ML environments — Jupyter servers, multi-tenant training clusters — where 'local access' is not a meaningful barrier.

Risk Assessment

Medium-high risk in shared ML environments. The local attack vector (AV:L) sounds limiting, but modern AI infrastructure routinely involves multi-user notebook servers, shared GPU clusters, and containerized inference endpoints where low-privilege access is common and expected. Low complexity (AC:L) and low privilege (PR:L) mean any authorized platform user can trigger it. High confidentiality impact (C:H) suggests potential exposure of in-memory training data, model weights, API keys, or pipeline credentials stored in adjacent heap allocations. Not in CISA KEV reduces urgency for isolated deployments, but shared infrastructure should treat this as high priority.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the fix from commit 51300ba1cc2f.

  2. ISOLATE

    If patching is delayed, enforce per-user kernel isolation in Jupyter/notebook environments (separate containers per user).

  3. INPUT VALIDATION

    Audit all pipelines that accept external inputs routed to UnicodeEncode ops; validate sparse tensor consistency before op execution.

  4. NETWORK SEGMENTATION

    Restrict access to training/inference environments to authorized users only; enforce least-privilege on ML platform accounts.

  5. DEFENSE IN DEPTH

    Ensure OS-level memory protections (ASLR, stack canaries) are enabled on ML inference hosts.

  6. DETECT

    Alert on unexpected crashes or OOM errors in TensorFlow serving processes, which may indicate exploitation attempts.

Classification

Data Extraction DoS Framework Training Data AML.T0010.001 AML.T0025 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
8.4 - AI system technical robustness and safety
NIST AI RMF
MS-2.5 - Measure: AI risk monitoring and testing
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-29559?

A heap out-of-bounds read in TensorFlow's UnicodeEncode operation lets any low-privileged local user read memory beyond allocated bounds, risking data exposure or service crash. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Risk is elevated in shared ML environments — Jupyter servers, multi-tenant training clusters — where 'local access' is not a meaningful barrier.

Is CVE-2021-29559 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29559, increasing the risk of exploitation.

How to fix CVE-2021-29559?

1. PATCH: Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the fix from commit 51300ba1cc2f. 2. ISOLATE: If patching is delayed, enforce per-user kernel isolation in Jupyter/notebook environments (separate containers per user). 3. INPUT VALIDATION: Audit all pipelines that accept external inputs routed to UnicodeEncode ops; validate sparse tensor consistency before op execution. 4. NETWORK SEGMENTATION: Restrict access to training/inference environments to authorized users only; enforce least-privilege on ML platform accounts. 5. DEFENSE IN DEPTH: Ensure OS-level memory protections (ASLR, stack canaries) are enabled on ML inference hosts. 6. DETECT: Alert on unexpected crashes or OOM errors in TensorFlow serving processes, which may indicate exploitation attempts.

What systems are affected by CVE-2021-29559?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing pipelines, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-29559?

CVE-2021-29559 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can access data outside of bounds of heap allocated array in `tf.raw_ops.UnicodeEncode`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/472c1f12ad9063405737679d4f6bd43094e1d36d/tensorflow/core/kernels/unicode_ops.cc) assumes that the `input_value`/`input_splits` pair specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with a standard data scientist account on a shared multi-user Jupyter server crafts a Python notebook that calls tf.raw_ops.UnicodeEncode with deliberately inconsistent input_value and input_splits tensors that violate sparse tensor invariants. The TensorFlow kernel, without bounds validation, reads beyond the heap-allocated array into adjacent memory regions. These regions may contain another tenant's training batch currently being processed, environment variables holding API keys or database credentials, or model weight buffers. The attacker captures the memory dump and exfiltrates sensitive data. Alternatively, a malicious model file distributed via a public repository could embed this call to trigger data leakage when a victim loads and evaluates the model.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed