CVE-2021-29573 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This medium-severity vulnerability allows a local, low-privileged attacker to crash TensorFlow processes by passing a zero-batch tensor to MaxPoolGradWithArgmax — no remote vector, no data exfiltration. Primary risk is availability disruption in shared or multi-tenant ML training environments. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4; the fix is available and straightforward.

Risk Assessment

Risk is LOW to MEDIUM depending on deployment context. CVSS 5.5 (local) reflects limited exploitability: attacker needs local access and low privileges. In isolated single-tenant training environments the blast radius is minimal. Risk escalates in multi-tenant ML platforms (shared Jupyter, Kubeflow, SageMaker Studio) where untrusted users can submit training jobs — a malicious insider or compromised notebook could repeatedly crash shared training workers. Not in CISA KEV and no evidence of active exploitation as of disclosure date.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.5.0 or cherrypicked fixes: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Commit 376c352a is the authoritative fix.
WORKAROUND

Add upstream batch dimension validation before any call to MaxPoolGradWithArgmax — assert or tf.debugging.assert_greater(tf.shape(tensor)[0], 0).
MULTI-TENANT PLATFORMS: Restrict user-submitted training jobs to sandboxed environments; treat TF process crashes as potential abuse signals.
DETECTION

Alert on abnormal TF process termination in training clusters; log SIGFPE/division-by-zero signals from ML worker processes.
INVENTORY

Run 'pip show tensorflow' across all ML nodes; flag any version below the patched releases.

Classification

DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Treatment of AI risks MEASURE-2.5 - AI risk measurement and monitoring

Frequently Asked Questions

What is CVE-2021-29573?

This medium-severity vulnerability allows a local, low-privileged attacker to crash TensorFlow processes by passing a zero-batch tensor to MaxPoolGradWithArgmax — no remote vector, no data exfiltration. Primary risk is availability disruption in shared or multi-tenant ML training environments. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4; the fix is available and straightforward.

Is CVE-2021-29573 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29573, increasing the risk of exploitation.

How to fix CVE-2021-29573?

1. PATCH: Upgrade to TensorFlow 2.5.0 or cherrypicked fixes: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Commit 376c352a is the authoritative fix. 2. WORKAROUND: Add upstream batch dimension validation before any call to MaxPoolGradWithArgmax — assert or tf.debugging.assert_greater(tf.shape(tensor)[0], 0). 3. MULTI-TENANT PLATFORMS: Restrict user-submitted training jobs to sandboxed environments; treat TF process crashes as potential abuse signals. 4. DETECTION: Alert on abnormal TF process termination in training clusters; log SIGFPE/division-by-zero signals from ML worker processes. 5. INVENTORY: Run 'pip show tensorflow' across all ML nodes; flag any version below the patched releases.

What systems are affected by CVE-2021-29573?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving with gradient-based inference, multi-tenant ML platforms, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2021-29573?

CVE-2021-29573 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` is vulnerable to a division by 0. The implementation(https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2827621b7edb56a730233bd8/tensorflow/core/kernels/maxpooling_op.cc#L1033-L1034) fails to validate that the batch dimension of the tensor is non-zero, before dividing by this quantity. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An insider threat or attacker with access to a shared Kubeflow or MLflow training cluster submits a crafted training script that passes a tensor with batch_size=0 to a model containing a max-pooling layer with gradient computation (e.g., during a backward pass). TensorFlow attempts to divide by the batch dimension, triggers a division-by-zero (CWE-369), and the training worker process crashes. The attacker repeats this in a loop to create sustained denial of service against the shared training infrastructure, delaying production model deployments. In a CI/CD MLOps pipeline, this could block automated retraining jobs indefinitely.