AI Threat Alert AI Threat Alert

CVE-2021-29585: TensorFlow TFLite: divide-by-zero crashes ML inference

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any organization running TensorFlow Lite for on-device or edge inference should patch immediately to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4). An attacker with local access can load a crafted .tflite model file to trigger a crash with high confidentiality, integrity, and availability impact per CVSS. The real threat vector is model supply chain: if your inference pipeline loads models from shared storage or external registries without integrity checks, the 'local' constraint becomes trivially bypassed.

Risk Assessment

CVSS 7.8 HIGH with local attack vector reduces immediate urgency for internet-exposed services, but the rating is misleading in AI/ML contexts. TFLite model files are frequently shared via model hubs, containers, and artifact registries—any of these can serve as a delivery vector that satisfies the 'local' requirement once the file lands on disk. Low attack complexity and no user interaction mean exploitation is straightforward once a malicious model is in place. Not in CISA KEV and no public exploitation reported as of patch date, but the vulnerability class (divide-by-zero in inference kernel) is well-understood and weaponizable.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch: Upgrade to TensorFlow 2.5.0 or apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 49847ae69a4e).

  2. Model provenance: Implement cryptographic signing and hash verification for all .tflite model files before loading—treat model files as executable code.

  3. Sandboxing: Run TFLite inference in isolated processes or containers with restricted privileges to contain blast radius if exploited.

  4. Input validation: Audit inference pipelines for stride validation before model loading; reject models with stride=0 in any convolution layer.

  5. Detection: Monitor for TFLite process crashes or abnormal model loading from unexpected sources.

  6. Inventory: Identify all TFLite deployments (edge, mobile, server) and prioritize patching based on exposure of model loading interfaces.

Classification

DoS Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0029

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.7 - AI system operation — security of AI system
NIST AI RMF
MS-2.5 - AI risk is evaluated using established methods
OWASP LLM Top 10
LLM05:2025 - Insecure Plugin / Supply Chain

Frequently Asked Questions

What is CVE-2021-29585?

Any organization running TensorFlow Lite for on-device or edge inference should patch immediately to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4). An attacker with local access can load a crafted .tflite model file to trigger a crash with high confidentiality, integrity, and availability impact per CVSS. The real threat vector is model supply chain: if your inference pipeline loads models from shared storage or external registries without integrity checks, the 'local' constraint becomes trivially bypassed.

Is CVE-2021-29585 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29585, increasing the risk of exploitation.

How to fix CVE-2021-29585?

1. Patch: Upgrade to TensorFlow 2.5.0 or apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 49847ae69a4e). 2. Model provenance: Implement cryptographic signing and hash verification for all .tflite model files before loading—treat model files as executable code. 3. Sandboxing: Run TFLite inference in isolated processes or containers with restricted privileges to contain blast radius if exploited. 4. Input validation: Audit inference pipelines for stride validation before model loading; reject models with stride=0 in any convolution layer. 5. Detection: Monitor for TFLite process crashes or abnormal model loading from unexpected sources. 6. Inventory: Identify all TFLite deployments (edge, mobile, server) and prioritize patching based on exposure of model loading interfaces.

What systems are affected by CVE-2021-29585?

This vulnerability affects the following AI/ML architecture patterns: edge AI / on-device inference, model serving (TFLite backend), mobile ML pipelines, training pipelines (TFLite validation step).

What is the CVSS score for CVE-2021-29585?

CVE-2021-29585 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The TFLite computation for size of output after padding, `ComputeOutSize`(https://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h#L43-L55), does not check that the `stride` argument is not 0 before doing the division. Users can craft special models such that `ComputeOutSize` is called with `stride` set to 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

Adversary targets an organization's edge AI pipeline (e.g., a factory vision system or mobile fraud detection model). They identify the target uses TFLite < 2.5.0 via version disclosure in API responses or job postings. Using a modified flatbuffers schema, they craft a .tflite model where a convolution layer sets stride=0. They upload this file to a shared model artifact registry (S3 bucket, MLflow registry, or internal model store) by compromising a developer's credentials or exploiting misconfigured write permissions. When the inference service automatically pulls and loads the new model version, ComputeOutSize divides by zero—crashing the inference process, potentially corrupting adjacent memory, and taking down the AI-dependent production system. In a mobile context, the same model could be distributed via a compromised update mechanism.

Weaknesses (CWE)

CWE-369

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed