AI Threat Alert AI Threat Alert

CVE-2021-29581: TensorFlow: DoS via null buffer in CTCBeamSearchDecoder

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

A missing input validation in TensorFlow's CTCBeamSearchDecoder op allows any user with low-privilege local access — or API-level access to an exposed inference service — to crash the TensorFlow runtime via a null pointer dereference. Patch immediately to TF 2.5.0 or the corresponding backport for your branch (2.4.2, 2.3.3, 2.2.3, 2.1.4). If you run multi-tenant ML inference platforms or expose TF raw ops through any API surface, treat this as higher priority than the CVSS score implies.

Risk Assessment

CVSS 5.5 Medium with a local attack vector understates real-world risk in ML infrastructure. In isolated development environments the exploitability is genuinely low. However, any inference service, Jupyter environment, or MLOps platform that accepts user-defined model operations effectively promotes this to a remotely triggerable DoS. The exploit is trivial — passing an empty tensor — requiring no specialized ML knowledge. Not in CISA KEV and no known active exploitation, but the affected code path (CTC sequence decoding) is common in speech recognition and OCR production pipelines.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0 or cherrypicked backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify via pip show tensorflow or tf.__version__.

  2. INPUT VALIDATION

    Add explicit checks for empty/zero-dimension tensors before passing to CTCBeamSearchDecoder. Reject inputs where sequence_length or inputs tensor has zero elements.

  3. ISOLATION

    Run TF inference workers in isolated processes or containers with automatic restart policies (systemd, Kubernetes liveness probes) to limit DoS blast radius.

  4. ACCESS CONTROL

    Restrict direct access to tf.raw_ops in production; wrap with input sanitization layers.

  5. DETECTION

    Monitor for unexpected TF worker crashes or SIGSEGV signals in inference pods; instrument with crash reporting to catch exploitation attempts.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system security A.9.2 - Availability of AI systems
NIST AI RMF
GOVERN-6.1 - Policies for managing third-party AI risks MANAGE-2.2 - Treatments are applied to address identified AI risks
OWASP LLM Top 10
LLM07 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2021-29581?

A missing input validation in TensorFlow's CTCBeamSearchDecoder op allows any user with low-privilege local access — or API-level access to an exposed inference service — to crash the TensorFlow runtime via a null pointer dereference. Patch immediately to TF 2.5.0 or the corresponding backport for your branch (2.4.2, 2.3.3, 2.2.3, 2.1.4). If you run multi-tenant ML inference platforms or expose TF raw ops through any API surface, treat this as higher priority than the CVSS score implies.

Is CVE-2021-29581 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29581, increasing the risk of exploitation.

How to fix CVE-2021-29581?

1. PATCH: Upgrade to TensorFlow 2.5.0 or cherrypicked backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify via `pip show tensorflow` or `tf.__version__`. 2. INPUT VALIDATION: Add explicit checks for empty/zero-dimension tensors before passing to CTCBeamSearchDecoder. Reject inputs where sequence_length or inputs tensor has zero elements. 3. ISOLATION: Run TF inference workers in isolated processes or containers with automatic restart policies (systemd, Kubernetes liveness probes) to limit DoS blast radius. 4. ACCESS CONTROL: Restrict direct access to tf.raw_ops in production; wrap with input sanitization layers. 5. DETECTION: Monitor for unexpected TF worker crashes or SIGSEGV signals in inference pods; instrument with crash reporting to catch exploitation attempts.

What systems are affected by CVE-2021-29581?

This vulnerability affects the following AI/ML architecture patterns: model serving, speech recognition pipelines, OCR and sequence labeling pipelines, training pipelines, multi-tenant ML inference platforms.

What is the CVSS score for CVE-2021-29581?

CVE-2021-29581 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.CTCBeamSearchDecoder`, an attacker can trigger denial of service via segmentation faults. The implementation(https://github.com/tensorflow/tensorflow/blob/a74768f8e4efbda4def9f16ee7e13cf3922ac5f7/tensorflow/core/kernels/ctc_decoder_ops.cc#L68-L79) fails to detect cases when the input tensor is empty and proceeds to read data from a null buffer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a speech recognition or OCR inference service built on TensorFlow sends a crafted API request containing an empty input tensor (shape [0, batch, features]) to the CTC decoding endpoint. The application passes the tensor directly to tf.raw_ops.CTCBeamSearchDecoder without validation. TensorFlow attempts to read sequence data from a null buffer, triggering a segmentation fault that crashes the inference process. In a Kubernetes deployment without proper liveness probes, the pod enters a crash loop; in a bare-metal or VM deployment, the service is unavailable until manually restarted. In a shared multi-tenant platform, this denies service to all tenants sharing the worker.

Weaknesses (CWE)

CWE-908

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed