CVE-2021-29582 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

TensorFlow's Dequantize op fails to validate that min_range and max_range tensors share the same shape, allowing a low-privileged attacker to trigger out-of-bounds heap reads. Any inference or training infrastructure where external inputs reach TF raw ops is at risk of heap memory disclosure. Patch to TF 2.5.0+ immediately; if running 2.1.x–2.4.x apply the available cherrypick patches.

Risk Assessment

CVSS 7.1 (High) with local attack vector, low complexity, and low privileges required makes this straightforward to exploit for any user with access to the TensorFlow runtime. In model serving contexts (TF Serving, custom inference APIs), the 'local' constraint may effectively collapse to network-accessible if user-controlled tensor inputs are accepted. High confidentiality and availability impact means heap memory disclosure and potential service disruption. Not in CISA KEV and published in 2021, reducing urgency for patched environments but elevated risk for unpatched legacy ML infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

Recommended Action

6 steps

Upgrade TensorFlow to 2.5.0 or later.
If on older supported branches, apply cherrypick patch (commit 5899741d) targeting TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
In TF Serving and custom inference APIs, enforce strict input tensor shape validation before operator dispatch; reject mismatched shapes at the API boundary.
Apply least-privilege to TF runtime processes to contain potential heap disclosure blast radius.
Audit model serving endpoints for exposure of raw tf.raw_ops interfaces to untrusted callers.
Monitor for anomalous tensor shape inputs (e.g., mismatched rank/dimension inputs to quantization ops) as a detection signal.

Classification

Data Extraction Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Third-party and supply chain AI risk A.6.2 - AI system lifecycle risk management

NIST AI RMF

GOVERN 1.7 - Processes for organizational AI risk governance MANAGE 2.2 - Mechanisms to sustain AI risk management

Frequently Asked Questions

What is CVE-2021-29582?

TensorFlow's Dequantize op fails to validate that min_range and max_range tensors share the same shape, allowing a low-privileged attacker to trigger out-of-bounds heap reads. Any inference or training infrastructure where external inputs reach TF raw ops is at risk of heap memory disclosure. Patch to TF 2.5.0+ immediately; if running 2.1.x–2.4.x apply the available cherrypick patches.

Is CVE-2021-29582 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29582, increasing the risk of exploitation.

How to fix CVE-2021-29582?

1. Upgrade TensorFlow to 2.5.0 or later. 2. If on older supported branches, apply cherrypick patch (commit 5899741d) targeting TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 3. In TF Serving and custom inference APIs, enforce strict input tensor shape validation before operator dispatch; reject mismatched shapes at the API boundary. 4. Apply least-privilege to TF runtime processes to contain potential heap disclosure blast radius. 5. Audit model serving endpoints for exposure of raw tf.raw_ops interfaces to untrusted callers. 6. Monitor for anomalous tensor shape inputs (e.g., mismatched rank/dimension inputs to quantization ops) as a detection signal.

What systems are affected by CVE-2021-29582?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, edge inference, quantized model deployment.

What is the CVSS score for CVE-2021-29582?

CVE-2021-29582 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.Dequantize`, an attacker can trigger a read from outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/26003593aa94b1742f34dc22ce88a1e17776a67d/tensorflow/core/kernels/dequantize_op.cc#L106-L131) accesses the `min_range` and `max_range` tensors in parallel but fails to check that they have the same shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege access to a TF Serving gRPC or REST endpoint crafts a prediction request invoking Dequantize with min_range and max_range tensors of deliberately mismatched shapes. The missing shape validation in the C++ kernel causes the op to read beyond the allocated heap buffer for one of the tensors, leaking adjacent heap memory. In a multi-tenant ML inference cluster, a tenant could repeatedly trigger this to leak heap pages containing another tenant's deserialized model weights or inference results. On an edge device running quantized TFLite models with local process access, a malicious co-process could exploit this to extract proprietary model parameters.