CVE-2021-29568 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any TensorFlow deployment below 2.5.0 running this op with attacker-controlled shape inputs is vulnerable to crash or potential code execution with local access. Patch immediately to TF 2.5.0 or apply cherrypick commits for supported 2.1.x–2.4.x branches. Shared ML training clusters are the highest-risk surface — prioritize those environments.

Risk Assessment

CVSS 7.8 High with local attack vector, low complexity, and low privileges required makes this exploitable by any authenticated user on a shared ML system. While no public exploitation is recorded and it is absent from CISA KEV, shared training infrastructure (Jupyter environments, ML platforms, multi-tenant GPU clusters) significantly amplifies exposure. The C:H/I:H/A:H impact triad indicates full compromise potential if undefined behavior is leveraged beyond a crash.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.5.0 or apply the cherry-picked fix on 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Commit reference: 5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8.
Workaround: Enforce server-side validation that shape argument passed to ParameterizedTruncatedNormal is non-empty before execution.
Access control: Restrict direct access to tf.raw_ops in multi-tenant environments; sandbox untrusted model execution.
Detection: Monitor for process crashes in TF Serving instances or anomalous OOM/SIGABRT signals in training workers.
Audit: Identify all pipelines using tf.raw_ops.ParameterizedTruncatedNormal or the high-level keras.initializers.TruncatedNormal backed by this op.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.6.2.8 - AI system security — vulnerability management

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI and manage risks over the lifecycle

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29568?

Any TensorFlow deployment below 2.5.0 running this op with attacker-controlled shape inputs is vulnerable to crash or potential code execution with local access. Patch immediately to TF 2.5.0 or apply cherrypick commits for supported 2.1.x–2.4.x branches. Shared ML training clusters are the highest-risk surface — prioritize those environments.

Is CVE-2021-29568 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29568, increasing the risk of exploitation.

How to fix CVE-2021-29568?

1. Patch: Upgrade to TensorFlow 2.5.0 or apply the cherry-picked fix on 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Commit reference: 5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8. 2. Workaround: Enforce server-side validation that shape argument passed to ParameterizedTruncatedNormal is non-empty before execution. 3. Access control: Restrict direct access to tf.raw_ops in multi-tenant environments; sandbox untrusted model execution. 4. Detection: Monitor for process crashes in TF Serving instances or anomalous OOM/SIGABRT signals in training workers. 5. Audit: Identify all pipelines using tf.raw_ops.ParameterizedTruncatedNormal or the high-level keras.initializers.TruncatedNormal backed by this op.

What systems are affected by CVE-2021-29568?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ml platforms and notebook environments.

What is the CVSS score for CVE-2021-29568?

CVE-2021-29568 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger undefined behavior by binding to null pointer in `tf.raw_ops.ParameterizedTruncatedNormal`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630) does not validate input arguments before accessing the first element of `shape`. If `shape` argument is empty, then `shape_tensor.flat<T>()` is an empty array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege access to a shared TensorFlow environment (e.g., a data scientist account on a multi-tenant ML platform or a compromised notebook server) crafts a minimal script calling tf.raw_ops.ParameterizedTruncatedNormal with an empty shape tensor. The kernel dereferences shape_tensor.flat<T>() on an empty array, triggering undefined behavior. On unpatched systems this results in a null pointer dereference — crashing the TF worker process and potentially disrupting ongoing training jobs. In adversarial conditions with memory layout control, this could escalate to arbitrary code execution within the TF process, enabling exfiltration of model weights or training data accessible to that process.