CVE-2021-29581: TensorFlow DoS via null buffer

CISO Take

A missing input validation in TensorFlow's CTCBeamSearchDecoder op allows any user with low-privilege local access — or API-level access to an exposed inference service — to crash the TensorFlow runtime via a null pointer dereference. Patch immediately to TF 2.5.0 or the corresponding backport for your branch (2.4.2, 2.3.3, 2.2.3, 2.1.4). If you run multi-tenant ML inference platforms or expose TF raw ops through any API surface, treat this as higher priority than the CVSS score implies.

What is the risk?

CVSS 5.5 Medium with a local attack vector understates real-world risk in ML infrastructure. In isolated development environments the exploitability is genuinely low. However, any inference service, Jupyter environment, or MLOps platform that accepts user-defined model operations effectively promotes this to a remotely triggerable DoS. The exploit is trivial — passing an empty tensor — requiring no specialized ML knowledge. Not in CISA KEV and no known active exploitation, but the affected code path (CTC sequence decoding) is common in speech recognition and OCR production pipelines.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade to TensorFlow 2.5.0 or cherrypicked backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify via pip show tensorflow or tf.__version__.
INPUT VALIDATION

Add explicit checks for empty/zero-dimension tensors before passing to CTCBeamSearchDecoder. Reject inputs where sequence_length or inputs tensor has zero elements.
ISOLATION

Run TF inference workers in isolated processes or containers with automatic restart policies (systemd, Kubernetes liveness probes) to limit DoS blast radius.
ACCESS CONTROL

Restrict direct access to tf.raw_ops in production; wrap with input sanitization layers.
DETECTION

Monitor for unexpected TF worker crashes or SIGSEGV signals in inference pods; instrument with crash reporting to catch exploitation attempts.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security A.9.2 - Availability of AI systems

NIST AI RMF

GOVERN-6.1 - Policies for managing third-party AI risks MANAGE-2.2 - Treatments are applied to address identified AI risks

OWASP LLM Top 10

LLM07 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2021-29581?

A missing input validation in TensorFlow's CTCBeamSearchDecoder op allows any user with low-privilege local access — or API-level access to an exposed inference service — to crash the TensorFlow runtime via a null pointer dereference. Patch immediately to TF 2.5.0 or the corresponding backport for your branch (2.4.2, 2.3.3, 2.2.3, 2.1.4). If you run multi-tenant ML inference platforms or expose TF raw ops through any API surface, treat this as higher priority than the CVSS score implies.

Is CVE-2021-29581 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29581, increasing the risk of exploitation.

How to fix CVE-2021-29581?

1. PATCH: Upgrade to TensorFlow 2.5.0 or cherrypicked backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify via `pip show tensorflow` or `tf.__version__`. 2. INPUT VALIDATION: Add explicit checks for empty/zero-dimension tensors before passing to CTCBeamSearchDecoder. Reject inputs where sequence_length or inputs tensor has zero elements. 3. ISOLATION: Run TF inference workers in isolated processes or containers with automatic restart policies (systemd, Kubernetes liveness probes) to limit DoS blast radius. 4. ACCESS CONTROL: Restrict direct access to tf.raw_ops in production; wrap with input sanitization layers. 5. DETECTION: Monitor for unexpected TF worker crashes or SIGSEGV signals in inference pods; instrument with crash reporting to catch exploitation attempts.

What systems are affected by CVE-2021-29581?

This vulnerability affects the following AI/ML architecture patterns: model serving, speech recognition pipelines, OCR and sequence labeling pipelines, training pipelines, multi-tenant ML inference platforms.

What is the CVSS score for CVE-2021-29581?

CVE-2021-29581 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

model servingspeech recognition pipelinesOCR and sequence labeling pipelinestraining pipelinesmulti-tenant ML inference platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5, A.9.2

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.CTCBeamSearchDecoder`, an attacker can trigger denial of service via segmentation faults. The implementation(https://github.com/tensorflow/tensorflow/blob/a74768f8e4efbda4def9f16ee7e13cf3922ac5f7/tensorflow/core/kernels/ctc_decoder_ops.cc#L68-L79) fails to detect cases when the input tensor is empty and proceeds to read data from a null buffer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a speech recognition or OCR inference service built on TensorFlow sends a crafted API request containing an empty input tensor (shape [0, batch, features]) to the CTC decoding endpoint. The application passes the tensor directly to tf.raw_ops.CTCBeamSearchDecoder without validation. TensorFlow attempts to read sequence data from a null buffer, triggering a segmentation fault that crashes the inference process. In a Kubernetes deployment without proper liveness probes, the pod enters a crash loop; in a bare-metal or VM deployment, the service is unavailable until manually restarted. In a shared multi-tenant platform, this denies service to all tenants sharing the worker.

Weaknesses (CWE)

CWE-908 Use of Uninitialized Resource

CWE-908 — Use of Uninitialized Resource: The product uses or accesses a resource that has not been initialized.

[Implementation] Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
[Implementation] Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Source: MITRE CWE corpus.