CVE-2021-29580 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by passing empty tensors to the FractionalMaxPoolGrad operation, triggering undefined behavior and a forced process abort. While not remotely exploitable by default, multi-tenant ML platforms or model serving endpoints accepting user-controlled tensor inputs are exposed. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately.

Risk Assessment

Medium risk in isolated environments, elevated in shared ML infrastructure. The CVSS Local attack vector limits opportunistic exploitation, but any ML platform that processes user-submitted model inputs—including TF Serving, Jupyter environments, or shared training clusters—widens the attack surface to lower-trust users. No active exploitation or KEV listing, but the trivial exploit complexity (pass an empty tensor) means any user with model inference access could trigger it.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.5.0; backports available for 2.4.2, 2.3.3, 2.2.3, 2.1.4.
VALIDATE

Add input tensor shape and rank validation before invoking FractionalMaxPoolGrad in any custom serving code.
ISOLATE

Run model serving processes in containers with automatic restart policies (e.g., Kubernetes restart-on-crash) to minimize availability impact.
SCOPE

Audit whether FractionalMaxPool/FractionalMaxPoolGrad ops are used in your deployed model graphs—if not, risk is negligible.
DETECT

Alert on unexpected TensorFlow process terminations with CHECK-fail signatures in logs.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI and improve performance

OWASP LLM Top 10

LLM09 - Overreliance / Misinformation (reframed as Model Robustness)

Frequently Asked Questions

What is CVE-2021-29580?

A local attacker with low privileges can crash TensorFlow processes by passing empty tensors to the FractionalMaxPoolGrad operation, triggering undefined behavior and a forced process abort. While not remotely exploitable by default, multi-tenant ML platforms or model serving endpoints accepting user-controlled tensor inputs are exposed. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately.

Is CVE-2021-29580 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29580, increasing the risk of exploitation.

How to fix CVE-2021-29580?

1. PATCH: Upgrade TensorFlow to 2.5.0; backports available for 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. VALIDATE: Add input tensor shape and rank validation before invoking FractionalMaxPoolGrad in any custom serving code. 3. ISOLATE: Run model serving processes in containers with automatic restart policies (e.g., Kubernetes restart-on-crash) to minimize availability impact. 4. SCOPE: Audit whether FractionalMaxPool/FractionalMaxPoolGrad ops are used in your deployed model graphs—if not, risk is negligible. 5. DETECT: Alert on unexpected TensorFlow process terminations with CHECK-fail signatures in logs.

What systems are affected by CVE-2021-29580?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference.

What is the CVSS score for CVE-2021-29580?

CVE-2021-29580 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FractionalMaxPoolGrad` triggers an undefined behavior if one of the input tensors is empty. The code is also vulnerable to a denial of service attack as a `CHECK` condition becomes false and aborts the process. The implementation(https://github.com/tensorflow/tensorflow/blob/169054888d50ce488dfde9ca55d91d6325efbd5b/tensorflow/core/kernels/fractional_max_pool_op.cc#L215) fails to validate that input and output tensors are not empty and are of the same rank. Each of these unchecked assumptions is responsible for the above issues. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a multi-tenant TF Serving deployment or a Jupyter notebook environment submits a crafted inference request containing a model that invokes FractionalMaxPoolGrad with an empty output_backprop tensor. The missing rank/empty validation causes a CHECK assertion to fail, aborting the TensorFlow serving process. In a shared environment, this crashes inference availability for all concurrent users. An internal threat actor (data scientist, contractor) or a low-privilege user in a cloud ML platform (e.g., SageMaker, Vertex AI custom containers running unpatched TF) could trigger this repeatedly as a harassment or disruption technique.