CVE-2021-29564 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by passing malformed inputs to tf.raw_ops.EditDistance, causing availability loss in training or inference workloads. This is most dangerous in shared ML platforms (Jupyter Hub, Kubeflow, SageMaker multi-tenant) where untrusted users can submit jobs. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — no workaround exists short of input validation at the application layer.

Risk Assessment

Medium risk in single-tenant or tightly controlled environments; elevated risk in multi-tenant ML platforms. CVSS 5.5 (local, low privilege) limits exposure surface, but AI/ML infrastructure often runs shared Jupyter or notebook servers where co-tenant exploitation is plausible. No confidentiality or integrity impact — purely availability. Not in CISA KEV and no known active exploitation, but the fix was published with a working exploit reference (GHSA-75f6-78jr-4656), lowering exploitation bar to trivial.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow ≥2.5.0, or apply backports to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. Commit f4c364a5d6880557f6f5b6eb5cee2c407f0186b3 contains the fix.
DETECT

Enable crash monitoring on TF processes; unexpected SIGSEGV/null deref in tensorflow_core should trigger incident response.
ISOLATE

In multi-tenant environments, run each user's TF session in isolated containers/namespaces — limits blast radius to a single tenant.
VALIDATE

Wrap calls to EditDistance with input shape/type validation before passing to the op layer.
AUDIT

Scan your deployed TF versions via pip show tensorflow across all inference and training nodes.

Classification

DoS Framework AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system for high-risk AI systems

ISO 42001

8.4 - AI system risk management — operational security

NIST AI RMF

MANAGE-2.2 - Mechanisms to address identified AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Supply Chain

Frequently Asked Questions

What is CVE-2021-29564?

A local attacker with low privileges can crash TensorFlow processes by passing malformed inputs to tf.raw_ops.EditDistance, causing availability loss in training or inference workloads. This is most dangerous in shared ML platforms (Jupyter Hub, Kubeflow, SageMaker multi-tenant) where untrusted users can submit jobs. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — no workaround exists short of input validation at the application layer.

Is CVE-2021-29564 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29564, increasing the risk of exploitation.

How to fix CVE-2021-29564?

1. PATCH: Upgrade to TensorFlow ≥2.5.0, or apply backports to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. Commit f4c364a5d6880557f6f5b6eb5cee2c407f0186b3 contains the fix. 2. DETECT: Enable crash monitoring on TF processes; unexpected SIGSEGV/null deref in tensorflow_core should trigger incident response. 3. ISOLATE: In multi-tenant environments, run each user's TF session in isolated containers/namespaces — limits blast radius to a single tenant. 4. VALIDATE: Wrap calls to EditDistance with input shape/type validation before passing to the op layer. 5. AUDIT: Scan your deployed TF versions via `pip show tensorflow` across all inference and training nodes.

What systems are affected by CVE-2021-29564?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML notebook environments.

What is the CVSS score for CVE-2021-29564?

CVE-2021-29564 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference in the implementation of `tf.raw_ops.EditDistance`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/79865b542f9ffdc9caeb255631f7c56f1d4b6517/tensorflow/core/kernels/edit_distance_op.cc#L103-L159) has incomplete validation of the input parameters. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., a Jupyter Hub instance used by a data science team) submits a notebook that calls `tf.raw_ops.EditDistance()` with deliberately malformed or incomplete input parameters — omitting required tensor shapes or passing tensors with incompatible dimensions. The incomplete validation in edit_distance_op.cc dereferences a null pointer, crashing the TF session process. In a shared notebook server configuration, this terminates active sessions for all co-located users. In a model-as-a-service architecture where EditDistance is part of a serving graph, repeated calls cause continuous availability degradation — effectively a low-cost DoS against the inference endpoint.