AI Threat Alert AI Threat Alert

CVE-2021-29571: TensorFlow: heap OOB write via crafted bounding box op

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A heap out-of-bounds write in TensorFlow's DrawBoundingBoxesV2 op allows an attacker with local/low-privilege access to corrupt memory, potentially achieving code execution. Any multi-tenant ML training environment, shared Jupyter infrastructure, or TF Serving deployment processing untrusted image data is at direct risk. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4; treat unpatched TensorFlow in shared compute as a lateral movement vector.

Risk Assessment

CVSS 7.8 HIGH with local vector and low privilege requirements. In practice, the 'local' constraint is often satisfied in AI/ML contexts: shared GPU clusters, Jupyter notebook servers, model training APIs, and TF Serving endpoints that accept raw op graphs all expose this surface. Heap corruption with both read and write primitives elevates the realistic impact beyond the base score — reliable exploitation depends on heap layout but is achievable with moderate effort. Not in KEV, but the class of vulnerability (missing input validation in TF kernel ops) historically enables sandbox escapes in multi-tenant ML platforms.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 4% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch: upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — the fix adds dimension validation before heap access.

  2. Inventory: identify all services running unpatched TF versions (check pip list / conda list in all environments including CI/CD runners and Docker images).

  3. Isolate: enforce process-level isolation in multi-tenant ML platforms — no shared TF process across trust boundaries.

  4. Input validation: if consuming external bounding box data, validate that the boxes tensor last dimension equals 4 before passing to any TF op.

  5. Detect: monitor for abnormal process terminations or memory allocation failures in TF serving processes as a signal of exploitation attempts.

  6. Container hardening: run TF Serving containers with seccomp profiles and no-new-privileges to reduce post-exploitation impact.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system resources
NIST AI RMF
MANAGE-2.2 - Mechanisms for AI Risk Treatment
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29571?

A heap out-of-bounds write in TensorFlow's DrawBoundingBoxesV2 op allows an attacker with local/low-privilege access to corrupt memory, potentially achieving code execution. Any multi-tenant ML training environment, shared Jupyter infrastructure, or TF Serving deployment processing untrusted image data is at direct risk. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4; treat unpatched TensorFlow in shared compute as a lateral movement vector.

Is CVE-2021-29571 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29571, increasing the risk of exploitation.

How to fix CVE-2021-29571?

1. Patch: upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — the fix adds dimension validation before heap access. 2. Inventory: identify all services running unpatched TF versions (check pip list / conda list in all environments including CI/CD runners and Docker images). 3. Isolate: enforce process-level isolation in multi-tenant ML platforms — no shared TF process across trust boundaries. 4. Input validation: if consuming external bounding box data, validate that the boxes tensor last dimension equals 4 before passing to any TF op. 5. Detect: monitor for abnormal process terminations or memory allocation failures in TF serving processes as a signal of exploitation attempts. 6. Container hardening: run TF Serving containers with seccomp profiles and no-new-privileges to reduce post-exploitation impact.

What systems are affected by CVE-2021-29571?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments, object detection systems, shared GPU compute clusters.

What is the CVSS score for CVE-2021-29571?

CVE-2021-29571 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/31bd5026304677faa8a0b77602c6154171b9aec1/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L116-L130) assumes that the last element of `boxes` input is 4, as required by [the op](https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBoundingBoxesV2). Since this is not checked attackers passing values less than 4 can write outside of bounds of heap allocated objects and cause memory corruption. If the last dimension in `boxes` is less than 4, accesses similar to `tboxes(b, bb, 3)` will access data outside of bounds. Further during code execution there are also writes to these indices. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML training platform (e.g., a rogue data scientist, compromised CI pipeline, or malicious training dataset contributor) submits a TensorFlow SavedModel or eager-mode script that calls tf.raw_ops.DrawBoundingBoxesV2 with a boxes tensor shaped [B, N, 3] instead of the required [B, N, 4]. When the platform executes the model for validation or inference, the kernel accesses heap memory at offset 3 beyond the last valid index, enabling heap corruption. With control over the malicious input, the attacker shapes the heap to overwrite adjacent allocations — targeting function pointers or security-sensitive buffers — to escalate privileges within the training node, pivot to other tenants' model artifacts, or exfiltrate credentials from the ML runtime environment.

Weaknesses (CWE)

CWE-787

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed