AI Threat Alert AI Threat Alert

CVE-2021-29584: TensorFlow: integer overflow DoS in SparseSplit op

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

A local attacker with low privileges can crash TensorFlow processes by crafting a SparseSplit operation with oversized tensor dimensions, triggering an integer overflow and CHECK-fail assertion. In shared ML platforms—Jupyter hubs, multi-tenant model servers, or internal AI APIs accepting user-defined ops—this becomes a practical availability threat. Upgrade to TF 2.5.0 or patched backports (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately; restrict untrusted tensor op submission in shared environments as a compensating control.

Risk Assessment

Medium overall, but context-dependent. The CVSS 5.5 score reflects local access requirement, which limits mass exploitation. However, in shared ML infrastructure (multi-tenant Jupyter, internal model serving endpoints, AutoML platforms), 'local access' is often a low bar—any authenticated user or API consumer qualifies. No in-the-wild exploitation recorded, not in CISA KEV. The trivial exploitation mechanics (craft oversized shape dimensions) elevate practical risk above the base score in shared-compute environments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade TensorFlow to ≥2.5.0 or apply backports: 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Commit fix: 4c0ee937c0f61c4fc5f5d32d9bb4c67428012a60.

  2. VALIDATE INPUT

    Add dimension bounds checks before passing user-supplied shapes to SparseSplit; reject requests where shape dimensions exceed safe thresholds.

  3. ISOLATE

    Run TF model servers in separate processes per user/tenant to contain blast radius of a crash.

  4. MONITOR

    Alert on abnormal TF process terminations (SIGABRT/CHECK-fail logs) as potential exploitation indicators.

  5. DETECT

    Search for patterns like extreme tensor dimension values (approaching INT64_MAX) in model serving logs.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity for high-risk AI
ISO 42001
A.9.2 - AI System Availability and Resilience
NIST AI RMF
GOVERN-1.4 - Organizational teams are committed to risk management MANAGE-2.2 - Mechanisms to sustain AI risk management

Frequently Asked Questions

What is CVE-2021-29584?

A local attacker with low privileges can crash TensorFlow processes by crafting a SparseSplit operation with oversized tensor dimensions, triggering an integer overflow and CHECK-fail assertion. In shared ML platforms—Jupyter hubs, multi-tenant model servers, or internal AI APIs accepting user-defined ops—this becomes a practical availability threat. Upgrade to TF 2.5.0 or patched backports (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately; restrict untrusted tensor op submission in shared environments as a compensating control.

Is CVE-2021-29584 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29584, increasing the risk of exploitation.

How to fix CVE-2021-29584?

1. PATCH: Upgrade TensorFlow to ≥2.5.0 or apply backports: 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Commit fix: 4c0ee937c0f61c4fc5f5d32d9bb4c67428012a60. 2. VALIDATE INPUT: Add dimension bounds checks before passing user-supplied shapes to SparseSplit; reject requests where shape dimensions exceed safe thresholds. 3. ISOLATE: Run TF model servers in separate processes per user/tenant to contain blast radius of a crash. 4. MONITOR: Alert on abnormal TF process terminations (SIGABRT/CHECK-fail logs) as potential exploitation indicators. 5. DETECT: Search for patterns like extreme tensor dimension values (approaching INT64_MAX) in model serving logs.

What systems are affected by CVE-2021-29584?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML platforms, notebook environments.

What is the CVSS score for CVE-2021-29584?

CVE-2021-29584 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in caused by an integer overflow in constructing a new tensor shape. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/0908c2f2397c099338b901b067f6495a5b96760b/tensorflow/core/kernels/sparse_split_op.cc#L66-L70) builds a dense shape without checking that the dimensions would not result in overflow. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An internal data scientist on a shared ML platform submits a SparseSplit operation via a Jupyter notebook with a dense_shape tensor constructed so that multiplying its dimensions causes integer overflow (e.g., shape [9223372036854775807, 2]). TensorShape constructor calls InitDims, which returns a non-OK status due to overflow; the CHECK macro triggers, sending SIGABRT to the TF process. In a shared model-serving scenario, a single crafted API request to an endpoint accepting sparse tensor inputs crashes the serving process, causing a denial of service for all concurrent users. Requires no exploit payload, just knowledge of the overflow condition.

Weaknesses (CWE)

CWE-190

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed