AI Threat Alert

CVE-2021-29570: TensorFlow: OOB read in MaxPoolGradWithArgmax op

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A low-complexity local vulnerability in TensorFlow's MaxPool gradient kernel allows attackers with minimal privileges to trigger heap out-of-bounds reads, risking memory disclosure or inference service crash. Patch immediately to TF 2.5.0 or apply the available backports to 2.1.4/2.2.3/2.3.3/2.4.2. Primary risk surface is shared ML inference infrastructure processing untrusted inputs.

What is the risk?

CVSS 7.1 High with local attack vector and low privileges required. While local access limits opportunistic exploitation, shared ML infrastructure—multi-tenant Jupyter environments, model serving APIs, MLOps pipelines—effectively expands the attack surface beyond the nominal local vector. No confirmed active exploitation in the wild and not in CISA KEV. Risk is elevated for organizations running shared TensorFlow inference infrastructure without strict input validation or process isolation.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A High

What should I do?

4 steps

  1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick backport commit dcd7867de0fea4b72a2b34bd41eb74548dc23886 for affected branches (2.1.4, 2.2.3, 2.3.3, 2.4.2).

  2. Inventory: Audit TF version across all inference servers, MLOps pipelines, Jupyter hubs, and CI/CD training runners.

  3. Workaround: Restrict tf.raw_ops access to trusted callers; sandbox TensorFlow execution when processing untrusted inputs.

  4. Detection: Alert on unexpected TF serving process crashes or anomalous OOM signals from inference services as potential exploitation indicators.

How is it classified?

DoS Data Extraction Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE-2.2 - Mechanisms to inventory and manage AI risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29570?

A low-complexity local vulnerability in TensorFlow's MaxPool gradient kernel allows attackers with minimal privileges to trigger heap out-of-bounds reads, risking memory disclosure or inference service crash. Patch immediately to TF 2.5.0 or apply the available backports to 2.1.4/2.2.3/2.3.3/2.4.2. Primary risk surface is shared ML inference infrastructure processing untrusted inputs.

Is CVE-2021-29570 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29570, increasing the risk of exploitation.

How to fix CVE-2021-29570?

1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick backport commit dcd7867de0fea4b72a2b34bd41eb74548dc23886 for affected branches (2.1.4, 2.2.3, 2.3.3, 2.4.2). 2. Inventory: Audit TF version across all inference servers, MLOps pipelines, Jupyter hubs, and CI/CD training runners. 3. Workaround: Restrict tf.raw_ops access to trusted callers; sandbox TensorFlow execution when processing untrusted inputs. 4. Detection: Alert on unexpected TF serving process crashes or anomalous OOM signals from inference services as potential exploitation indicators.

What systems are affected by CVE-2021-29570?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference APIs.

What is the CVSS score for CVE-2021-29570?

CVE-2021-29570 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servinginference APIs

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: 8.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/ef0c008ee84bad91ec6725ddc42091e19a30cf0e/tensorflow/core/kernels/maxpooling_op.cc#L1016-L1017) uses the same value to index in two different arrays but there is no guarantee that the sizes are identical. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a multi-tenant ML platform or self-hosted model serving endpoint crafts a malicious inference request with mismatched tensor dimensions targeting the MaxPoolGradWithArgmax kernel. The kernel reads beyond its heap-allocated buffer—either crashing the TF serving process (DoS of the inference API) or leaking adjacent heap memory that may contain model weights, prior inference results, or session metadata. In CI/CD pipelines that auto-execute submitted models, an untrusted contributor could embed this exploit to disrupt training runs or probe memory contents of co-located workloads.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed