AI Threat Alert

CVE-2021-29574: TensorFlow: null ptr deref in MaxPool3DGradGrad ops

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any TensorFlow deployment running versions below 2.5.0 (or un-backpatched 2.1.x–2.4.x) that exposes 3D pooling gradient operations is vulnerable to process crashes or potential code execution via crafted empty tensors. Patch immediately to TF 2.5.0+ or the applicable backport; no known workaround exists for the raw op. Audit model-serving endpoints that accept user-controlled tensor inputs — these are your highest-risk exposure.

What is the risk?

CVSS 7.8 with local attack vector understates real-world risk in ML serving contexts. When TensorFlow model-serving APIs (TF Serving, FastAPI wrappers, custom gRPC endpoints) accept arbitrary operator inputs, the 'local' constraint effectively becomes remote. Low complexity and no user interaction required makes this trivially exploitable once access is achieved. No CISA KEV listing and 2021 vintage reduce urgency, but unpatched TF instances remain common in research and production ML pipelines.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 4d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.5.0, or apply backports to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4 per GHSA-828x-qc2p-wprq.

  2. Input validation: Add pre-execution tensor shape validation — reject any tensor with zero-sized dimensions before passing to pooling gradient ops.

  3. Sandbox: Run TF Serving processes under seccomp/AppArmor profiles to limit blast radius of crashes.

  4. Monitoring: Alert on abrupt TF Serving process restarts or SIGSEGV signals in model-serving pods.

  5. Inventory: Identify all internal deployments using TF 2.1–2.4 via dependency scanning (pip-audit, Trivy for containers).

How is it classified?

DoS Code Execution Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-29574?

Any TensorFlow deployment running versions below 2.5.0 (or un-backpatched 2.1.x–2.4.x) that exposes 3D pooling gradient operations is vulnerable to process crashes or potential code execution via crafted empty tensors. Patch immediately to TF 2.5.0+ or the applicable backport; no known workaround exists for the raw op. Audit model-serving endpoints that accept user-controlled tensor inputs — these are your highest-risk exposure.

Is CVE-2021-29574 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29574, increasing the risk of exploitation.

How to fix CVE-2021-29574?

1. Patch: Upgrade to TensorFlow 2.5.0, or apply backports to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4 per GHSA-828x-qc2p-wprq. 2. Input validation: Add pre-execution tensor shape validation — reject any tensor with zero-sized dimensions before passing to pooling gradient ops. 3. Sandbox: Run TF Serving processes under seccomp/AppArmor profiles to limit blast radius of crashes. 4. Monitoring: Alert on abrupt TF Serving process restarts or SIGSEGV signals in model-serving pods. 5. Inventory: Identify all internal deployments using TF 2.1–2.4 via dependency scanning (pip-audit, Trivy for containers).

What systems are affected by CVE-2021-29574?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints.

What is the CVSS score for CVE-2021-29574?

CVE-2021-29574 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference endpoints

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPool3DGradGrad` exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors. The implementation(https://github.com/tensorflow/tensorflow/blob/72fe792967e7fd25234342068806707bbc116618/tensorflow/core/kernels/pooling_ops_3d.cc#L679-L703) fails to validate that the 3 tensor inputs are not empty. If any of them is empty, then accessing the elements in the tensor results in dereferencing a null pointer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a model-serving API (internal user, compromised service account, or attacker who pivoted to the ML cluster) crafts an inference request that routes through a model containing a MaxPool3DGradGrad layer. They submit a payload with one or more empty tensors (shape [0, x, x, x, x]). TensorFlow dereferences the null data pointer when accessing tensor elements, causing the serving process to crash. In a containerized environment without restart policies, this takes the model offline. A sophisticated attacker may chain this with heap manipulation techniques on specific kernel/allocator combos for controlled code execution within the serving pod.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed