CVE-2021-29586: TensorFlow div-by-zero

CISO Take

A crafted TFLite model with stride=0 in pooling layers crashes the inference runtime via division by zero. Any pipeline that loads externally-supplied or untrusted TFLite models is exposed to denial of service. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately and enforce model provenance controls to block untrusted model loading.

What is the risk?

CVSS 7.8 High with local attack vector and low complexity. Risk is lower in isolated dev environments but escalates sharply in any system exposing model upload or inference capabilities — MLaaS platforms, edge device management, and mobile app update pipelines all become practical DoS vectors requiring only a crafted model file. No active exploitation observed; not in CISA KEV. Patch urgency is moderate given 2021 publication date — if still unpatched, treat as critical.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch to TensorFlow 2.5.0 or apply cherry-picked fixes in 2.4.2, 2.3.3, 2.2.3, 2.1.4.
Add model validation gates: reject TFLite models with stride values ≤ 0 before inference execution.
Run TFLite inference in isolated containers or sandboxes to contain crash blast radius.
Audit CI/CD pipelines that execute model inference during build or test phases.
Detection: monitor for abnormal process terminations in inference services and alert on unexpected stride parameter values in model metadata.

How is it classified?

DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system operation and monitoring

NIST AI RMF

GOVERN-4.2 - Organizational policies for AI risk management include third-party dependencies MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems are in place

Frequently Asked Questions

What is CVE-2021-29586?

A crafted TFLite model with stride=0 in pooling layers crashes the inference runtime via division by zero. Any pipeline that loads externally-supplied or untrusted TFLite models is exposed to denial of service. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately and enforce model provenance controls to block untrusted model loading.

Is CVE-2021-29586 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29586, increasing the risk of exploitation.

How to fix CVE-2021-29586?

1. Patch to TensorFlow 2.5.0 or apply cherry-picked fixes in 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. Add model validation gates: reject TFLite models with stride values ≤ 0 before inference execution. 3. Run TFLite inference in isolated containers or sandboxes to contain crash blast radius. 4. Audit CI/CD pipelines that execute model inference during build or test phases. 5. Detection: monitor for abnormal process terminations in inference services and alert on unexpected stride parameter values in model metadata.

What systems are affected by CVE-2021-29586?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge/mobile inference, training pipelines, CI/CD model validation.

What is the CVSS score for CVE-2021-29586?

CVE-2021-29586 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

model servingedge/mobile inferencetraining pipelinesCI/CD model validation

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: GOVERN-4.2, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. Optimized pooling implementations in TFLite fail to check that the stride arguments are not 0 before calling `ComputePaddingHeightWidth`(https://github.com/tensorflow/tensorflow/blob/3f24ccd932546416ec906a02ddd183b48a1d2c83/tensorflow/lite/kernels/pooling.cc#L90). Since users can craft special models which will have `params->stride_{height,width}` be zero, this will result in a division by zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an ML inference pipeline crafts a TFLite model file with a Max Pooling layer where stride_height=0. The file is submitted via a model upload endpoint, injected into an automated retraining pipeline, or bundled into a malicious model repository contribution. When the TFLite runtime loads and executes the model, ComputePaddingHeightWidth performs integer division by stride_height (0), triggering a hard crash. In high-availability inference services or edge device fleets, repeated submission causes sustained availability degradation or full service outage at negligible attacker cost.