CVE-2021-29588 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any system loading untrusted TFLite models (edge devices, mobile apps, on-device inference pipelines) is exposed to a crafted model that triggers a division-by-zero in the TransposeConv operator, potentially leading to crash or code execution. Patch to TF 2.5.0 / 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4 immediately and enforce model provenance controls—only load models from trusted, integrity-verified sources. This is a supply-chain-style attack surface: the malicious payload is the model file, not network traffic.

Risk Assessment

CVSS 7.8 High with local attack vector and low complexity. Despite the local vector, risk is elevated in any architecture that ingests externally-sourced TFLite models—mobile apps accepting user uploads, model marketplaces, or CI/CD pipelines that pull models from third-party registries. The C:H/I:H/A:H CVSS scores indicate potential beyond pure DoS; memory corruption enabling code execution cannot be ruled out. Not in CISA KEV and no public exploitation confirmed, but the low attack complexity makes weaponization trivial for anyone with TFLite knowledge.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
Model provenance: Enforce cryptographic signing and integrity verification for all TFLite model files before loading—reject unsigned or unverified models.
Input validation: If running unpatched versions, add pre-load validation that checks stride_{h,w} values in TransposeConv layers are non-zero.
Sandboxing: Run TFLite inference in an isolated process or container to contain crash impact.
Detection: Alert on inference process crashes or abnormal exits—these may indicate exploitation attempts against this or similar vulnerabilities.

Classification

DoS Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk assessment

NIST AI RMF

GOVERN 1.7 - Processes for security and resilience of AI systems MANAGE 2.2 - Mechanisms to detect and respond when AI systems are not performing as intended

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29588?

Any system loading untrusted TFLite models (edge devices, mobile apps, on-device inference pipelines) is exposed to a crafted model that triggers a division-by-zero in the TransposeConv operator, potentially leading to crash or code execution. Patch to TF 2.5.0 / 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4 immediately and enforce model provenance controls—only load models from trusted, integrity-verified sources. This is a supply-chain-style attack surface: the malicious payload is the model file, not network traffic.

Is CVE-2021-29588 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29588, increasing the risk of exploitation.

How to fix CVE-2021-29588?

1. Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Model provenance: Enforce cryptographic signing and integrity verification for all TFLite model files before loading—reject unsigned or unverified models. 3. Input validation: If running unpatched versions, add pre-load validation that checks stride_{h,w} values in TransposeConv layers are non-zero. 4. Sandboxing: Run TFLite inference in an isolated process or container to contain crash impact. 5. Detection: Alert on inference process crashes or abnormal exits—these may indicate exploitation attempts against this or similar vulnerabilities.

What systems are affected by CVE-2021-29588?

This vulnerability affects the following AI/ML architecture patterns: On-device / edge inference, Mobile ML pipelines, TFLite model serving, Computer vision inference pipelines, Embedded ML systems.

What is the CVSS score for CVE-2021-29588?

CVE-2021-29588 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The optimized implementation of the `TransposeConv` TFLite operator is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L5221-L5222). An attacker can craft a model such that `stride_{h,w}` values are 0. Code calling this function must validate these arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targets an organization's mobile app or edge ML system that performs on-device image processing using TFLite. They craft a malicious TFLite model file with TransposeConv stride values set to 0 and introduce it via a compromised model registry, a poisoned open-source model repository, or a man-in-the-middle attack on an unencrypted model update channel. When the app loads and runs inference with the crafted model, the division-by-zero triggers a crash (DoS) or, depending on compiler behavior and memory layout, potentially allows controlled memory corruption leading to arbitrary code execution on the device.