AI Threat Alert AI Threat Alert

CVE-2021-29579: TensorFlow: heap buffer overflow in MaxPoolGrad kernel

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

TensorFlow's MaxPoolGrad operation contains a heap buffer overflow (OOB write) exploitable by any local user with low privileges — a serious risk in shared ML training clusters and multi-tenant Jupyter environments. Patch immediately to TF 2.5.0 or the respective backport (2.4.2, 2.3.3, 2.2.3, 2.1.4). Treat unpatched TensorFlow training nodes as high-risk lateral movement surfaces, particularly in Kubernetes-based ML pipelines where service accounts carry elevated permissions.

Risk Assessment

CVSS 7.8 HIGH with local attack vector, low complexity, and low privileges required. While remote exploitation requires indirect access (malicious notebook submission, shared cluster), the combination of low complexity and full C/I/A impact makes this dangerous in multi-tenant ML environments. Not in CISA KEV; no evidence of active in-the-wild exploitation. Risk is materially elevated for organizations running shared GPU/TPU training infrastructure where multiple users submit jobs to the same nodes.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 depending on your current branch — confirm with python -c 'import tensorflow as tf; print(tf.__version__)' on all hosts.

  2. Inventory all TensorFlow deployments: include training clusters, CI/CD pipelines, notebook servers, and model serving containers.

  3. Apply network segmentation to isolate ML training nodes from production systems.

  4. Restrict local shell access to training nodes — audit which accounts have SSH/console access and apply least privilege.

  5. Enable process and file integrity monitoring on TF training hosts.

  6. For Kubernetes ML pipelines: audit service account permissions on nodes running TensorFlow training jobs.

Classification

Code Execution Framework Inference AML.T0010.001 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 17 - Quality management system — technical robustness
ISO 42001
A.6.2.6 - AI system lifecycle — software component integrity
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

Frequently Asked Questions

What is CVE-2021-29579?

TensorFlow's MaxPoolGrad operation contains a heap buffer overflow (OOB write) exploitable by any local user with low privileges — a serious risk in shared ML training clusters and multi-tenant Jupyter environments. Patch immediately to TF 2.5.0 or the respective backport (2.4.2, 2.3.3, 2.2.3, 2.1.4). Treat unpatched TensorFlow training nodes as high-risk lateral movement surfaces, particularly in Kubernetes-based ML pipelines where service accounts carry elevated permissions.

Is CVE-2021-29579 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29579, increasing the risk of exploitation.

How to fix CVE-2021-29579?

1. Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 depending on your current branch — confirm with `python -c 'import tensorflow as tf; print(tf.__version__)'` on all hosts. 2. Inventory all TensorFlow deployments: include training clusters, CI/CD pipelines, notebook servers, and model serving containers. 3. Apply network segmentation to isolate ML training nodes from production systems. 4. Restrict local shell access to training nodes — audit which accounts have SSH/console access and apply least privilege. 5. Enable process and file integrity monitoring on TF training hosts. 6. For Kubernetes ML pipelines: audit service account permissions on nodes running TensorFlow training jobs.

What systems are affected by CVE-2021-29579?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared notebook environments, ML training clusters.

What is the CVSS score for CVE-2021-29579?

CVE-2021-29579 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/ab1e644b48c82cb71493f4362b4dd38f4577a1cf/tensorflow/core/kernels/maxpooling_op.cc#L194-L203) fails to validate that indices used to access elements of input/output arrays are valid. Whereas accesses to `input_backprop_flat` are guarded by `FastBoundsCheck`, the indexing in `out_backprop_flat` can result in OOB access. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege shell access to a shared GPU training server — for example, a data scientist account on a multi-tenant ML cluster — crafts a malicious TensorFlow script invoking `tf.raw_ops.MaxPoolGrad` with specially crafted tensor shapes that trigger the OOB write in `out_backprop_flat`. The heap corruption enables arbitrary code execution in the TensorFlow process context. If the training job runs under a Kubernetes service account with broad permissions (common in MLOps pipelines), the attacker escalates to cluster-wide access — enabling trained model exfiltration, training data theft, or lateral movement to adjacent production systems sharing the cluster.

Weaknesses (CWE)

CWE-787 Primary CWE-119

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed