CVE-2021-29582: TensorFlow OOB heap read

CISO Take

TensorFlow's Dequantize op fails to validate that min_range and max_range tensors share the same shape, allowing a low-privileged attacker to trigger out-of-bounds heap reads. Any inference or training infrastructure where external inputs reach TF raw ops is at risk of heap memory disclosure. Patch to TF 2.5.0+ immediately; if running 2.1.x–2.4.x apply the available cherrypick patches.

What is the risk?

CVSS 7.1 (High) with local attack vector, low complexity, and low privileges required makes this straightforward to exploit for any user with access to the TensorFlow runtime. In model serving contexts (TF Serving, custom inference APIs), the 'local' constraint may effectively collapse to network-accessible if user-controlled tensor inputs are accepted. High confidentiality and availability impact means heap memory disclosure and potential service disruption. Not in CISA KEV and published in 2021, reducing urgency for patched environments but elevated risk for unpatched legacy ML infrastructure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

What should I do?

6 steps

Upgrade TensorFlow to 2.5.0 or later.
If on older supported branches, apply cherrypick patch (commit 5899741d) targeting TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
In TF Serving and custom inference APIs, enforce strict input tensor shape validation before operator dispatch; reject mismatched shapes at the API boundary.
Apply least-privilege to TF runtime processes to contain potential heap disclosure blast radius.
Audit model serving endpoints for exposure of raw tf.raw_ops interfaces to untrusted callers.
Monitor for anomalous tensor shape inputs (e.g., mismatched rank/dimension inputs to quantization ops) as a detection signal.

How is it classified?

Data Extraction Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Third-party and supply chain AI risk A.6.2 - AI system lifecycle risk management

NIST AI RMF

GOVERN 1.7 - Processes for organizational AI risk governance MANAGE 2.2 - Mechanisms to sustain AI risk management

Frequently Asked Questions

What is CVE-2021-29582?

TensorFlow's Dequantize op fails to validate that min_range and max_range tensors share the same shape, allowing a low-privileged attacker to trigger out-of-bounds heap reads. Any inference or training infrastructure where external inputs reach TF raw ops is at risk of heap memory disclosure. Patch to TF 2.5.0+ immediately; if running 2.1.x–2.4.x apply the available cherrypick patches.

Is CVE-2021-29582 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29582, increasing the risk of exploitation.

How to fix CVE-2021-29582?

1. Upgrade TensorFlow to 2.5.0 or later. 2. If on older supported branches, apply cherrypick patch (commit 5899741d) targeting TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 3. In TF Serving and custom inference APIs, enforce strict input tensor shape validation before operator dispatch; reject mismatched shapes at the API boundary. 4. Apply least-privilege to TF runtime processes to contain potential heap disclosure blast radius. 5. Audit model serving endpoints for exposure of raw tf.raw_ops interfaces to untrusted callers. 6. Monitor for anomalous tensor shape inputs (e.g., mismatched rank/dimension inputs to quantization ops) as a detection signal.

What systems are affected by CVE-2021-29582?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, edge inference, quantized model deployment.

What is the CVSS score for CVE-2021-29582?

CVE-2021-29582 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesedge inferencequantized model deployment

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0040 AI Model Inference API Access

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.10.3, A.6.2

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.Dequantize`, an attacker can trigger a read from outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/26003593aa94b1742f34dc22ce88a1e17776a67d/tensorflow/core/kernels/dequantize_op.cc#L106-L131) accesses the `min_range` and `max_range` tensors in parallel but fails to check that they have the same shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege access to a TF Serving gRPC or REST endpoint crafts a prediction request invoking Dequantize with min_range and max_range tensors of deliberately mismatched shapes. The missing shape validation in the C++ kernel causes the op to read beyond the allocated heap buffer for one of the tensors, leaking adjacent heap memory. In a multi-tenant ML inference cluster, a tenant could repeatedly trigger this to leak heap pages containing another tenant's deserialized model weights or inference results. On an edge device running quantized TFLite models with local process access, a malicious co-process could exploit this to extract proprietary model parameters.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.