AI Threat Alert AI Threat Alert

CVE-2021-29592: TensorFlow Lite: null-ptr deref in Reshape via 1D tensor

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

This incomplete fix for a prior TensorFlow Lite vulnerability (CVE-2020-15209) allows a local attacker with minimal privileges to trigger a null pointer dereference in the Reshape operator, leading to crash or potential code execution in the TFLite runtime. If your organization runs TensorFlow Lite for on-device or edge inference, patch immediately to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Exposure is limited to local access scenarios, but multi-tenant ML infrastructure or shared inference services elevate the risk profile.

Risk Assessment

CVSS 7.8 (High) with local attack vector, low complexity, and low privilege requirements makes this exploitable by any authenticated user on a shared ML system. The null pointer dereference (CWE-476) stems from an incomplete patch, increasing credibility of exploitation by researchers already aware of the original CVE-2020-15209. Not in CISA KEV and no reported active exploitation, but the low attack complexity and availability of PoC exploit code (referenced in GHSA advisory) raises effective risk for unpatched deployments. Edge inference and embedded TFLite deployments are most exposed.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the corrected fix.

  2. VERIFY

    Run python -c 'import tensorflow as tf; print(tf.__version__)' across all ML nodes, containers, and edge devices.

  3. WORKAROUND (if patching is delayed): Validate all TFLite model inputs before execution; reject models containing Reshape ops with dynamic 1-D tensor shapes from untrusted sources.

  4. DETECTION

    Monitor for TFLite process crashes (SIGSEGV) in inference services, which may indicate exploitation attempts.

  5. SUPPLY CHAIN

    Audit third-party .tflite models in use — a maliciously crafted model can trigger this without user awareness.

  6. CONTAINERS

    Rebuild Docker images used for edge inference with patched TensorFlow base layers.

Classification

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - AI system security and resilience
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29592?

This incomplete fix for a prior TensorFlow Lite vulnerability (CVE-2020-15209) allows a local attacker with minimal privileges to trigger a null pointer dereference in the Reshape operator, leading to crash or potential code execution in the TFLite runtime. If your organization runs TensorFlow Lite for on-device or edge inference, patch immediately to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Exposure is limited to local access scenarios, but multi-tenant ML infrastructure or shared inference services elevate the risk profile.

Is CVE-2021-29592 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29592, increasing the risk of exploitation.

How to fix CVE-2021-29592?

1. PATCH: Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the corrected fix. 2. VERIFY: Run `python -c 'import tensorflow as tf; print(tf.__version__)'` across all ML nodes, containers, and edge devices. 3. WORKAROUND (if patching is delayed): Validate all TFLite model inputs before execution; reject models containing Reshape ops with dynamic 1-D tensor shapes from untrusted sources. 4. DETECTION: Monitor for TFLite process crashes (SIGSEGV) in inference services, which may indicate exploitation attempts. 5. SUPPLY CHAIN: Audit third-party .tflite models in use — a maliciously crafted model can trigger this without user awareness. 6. CONTAINERS: Rebuild Docker images used for edge inference with patched TensorFlow base layers.

What systems are affected by CVE-2021-29592?

This vulnerability affects the following AI/ML architecture patterns: edge inference, model serving, training pipelines, MLOps/CI model validation.

What is the CVSS score for CVE-2021-29592?

CVE-2021-29592 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The fix for CVE-2020-15209(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15209) missed the case when the target shape of `Reshape` operator is given by the elements of a 1-D tensor. As such, the fix for the vulnerability(https://github.com/tensorflow/tensorflow/blob/9c1dc920d8ffb4893d6c9d27d1f039607b326743/tensorflow/lite/core/subgraph.cc#L1062-L1074) allowed passing a null-buffer-backed tensor with a 1D shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with local access to a shared ML inference server — or the ability to supply a .tflite model file (e.g., via a model upload feature or CI pipeline that evaluates models) — crafts a TFLite model containing a Reshape operator whose shape is provided by a 1-D tensor backed by a null buffer. When the TFLite runtime executes the subgraph, it dereferences the null pointer in subgraph.cc, bypassing the incomplete check from the prior patch. On unpatched systems, this crashes the inference process (DoS) or, with controlled heap layout, may allow code execution in the context of the ML runtime. In multi-tenant model-serving environments where users can submit custom models for evaluation, this becomes remotely exploitable via the model upload vector — requiring only low privilege to the upload endpoint.

Weaknesses (CWE)

CWE-476 Primary CWE-476

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed