CVE-2021-29594 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any deployment running TFLite inference—mobile apps, edge devices, embedded systems—is vulnerable to crash or code execution via crafted model inputs. Upgrade TensorFlow to 2.5.0 or apply the designated backport patches (2.4.2/2.3.3/2.2.3/2.1.4) immediately. Prioritize systems that accept externally-supplied TFLite models or tensor inputs from untrusted sources.

Risk Assessment

HIGH risk for systems dynamically loading TFLite models from external sources such as model registries, user uploads, or CI/CD pipelines. The local attack vector classification understates real-world exposure: in AI inference pipelines where models are fetched from external repositories, the effective attack surface is network-wide. Low complexity and low privilege requirements make this accessible to moderately skilled attackers. Absence from CISA KEV suggests no confirmed widespread exploitation, but the vulnerability is publicly documented with a proof-of-concept in the GitHub advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.5.0, or apply backport patches to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 for supported legacy versions.
INPUT VALIDATION

Validate all convolution parameters (kernel size, stride, dilation factors) are strictly non-zero before model execution. Reject models failing validation.
MODEL SIGNING

Restrict TFLite model loading to internally-signed artifacts only; reject unsigned or externally-sourced models in production.
EDGE/FIRMWARE: Audit all TFLite-linked binaries across edge and IoT fleets; schedule firmware updates.
DETECTION

Monitor inference processes for SIGFPE signals, unexpected crashes, or abnormal terminations. Alert on any model loaded outside approved registries.

Classification

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, Robustness and Cybersecurity

ISO 42001

6.1.2 - AI Risk Assessment 8.2 - AI System Requirements

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain deployed AI system value are evaluated and monitored MAP-1.6 - Risks from third-party entities are mapped and monitored

Frequently Asked Questions

What is CVE-2021-29594?

Any deployment running TFLite inference—mobile apps, edge devices, embedded systems—is vulnerable to crash or code execution via crafted model inputs. Upgrade TensorFlow to 2.5.0 or apply the designated backport patches (2.4.2/2.3.3/2.2.3/2.1.4) immediately. Prioritize systems that accept externally-supplied TFLite models or tensor inputs from untrusted sources.

Is CVE-2021-29594 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29594, increasing the risk of exploitation.

How to fix CVE-2021-29594?

1. PATCH: Upgrade TensorFlow to 2.5.0, or apply backport patches to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 for supported legacy versions. 2. INPUT VALIDATION: Validate all convolution parameters (kernel size, stride, dilation factors) are strictly non-zero before model execution. Reject models failing validation. 3. MODEL SIGNING: Restrict TFLite model loading to internally-signed artifacts only; reject unsigned or externally-sourced models in production. 4. EDGE/FIRMWARE: Audit all TFLite-linked binaries across edge and IoT fleets; schedule firmware updates. 5. DETECTION: Monitor inference processes for SIGFPE signals, unexpected crashes, or abnormal terminations. Alert on any model loaded outside approved registries.

What systems are affected by CVE-2021-29594?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile AI inference, model serving, on-device ML, CI/CD ML pipelines.

What is the CVSS score for CVE-2021-29594?

CVE-2021-29594 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. TFLite's convolution code(https://github.com/tensorflow/tensorflow/blob/09c73bca7d648e961dd05898292d91a8322a9d45/tensorflow/lite/kernels/conv.cc) has multiple division where the divisor is controlled by the user and not checked to be non-zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary crafts a malicious TFLite model file (.tflite) with a convolution layer configured with zero-valued stride parameters. The file is submitted through any model ingestion path—an ML model update endpoint, an automated testing pipeline that evaluates community-submitted models, or a supply chain compromise of a model registry. When the target application's TFLite interpreter loads and executes inference, conv.cc performs an unchecked division by the attacker-controlled zero value. In edge and embedded deployments without memory protection, this can escalate from crash to arbitrary code execution. The attack requires no authentication if the model ingestion path is public-facing.