CVE-2021-29595 — HIGH (CVSS 7.8) AI Security Vulnerability

Q: Is CVE-2021-29595 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29595, increasing the risk of exploitation.

Q: How to fix CVE-2021-29595?

1. PATCH: Upgrade to TensorFlow 2.5.0 or backport releases 2.4.2/2.3.3/2.2.3/2.1.4 — commit 106d8f4 contains the fix. 2. VALIDATE: Implement pre-inference model validation rejecting DepthToSpace operators with block_size <= 0 before execution. 3. SANDBOX: Run TFLite inference in isolated containers or processes with minimal privileges to contain crash or exploitation impact. 4. TRUST BOUNDARIES: Only load TFLite model files with verified cryptographic signatures from trusted registries; reject unsigned or externally-sourced models. 5. DETECT: Alert on unexpected process crashes/segfaults in inference workers; audit model provenance logs for anomalous sources.

Q: What systems are affected by CVE-2021-29595?

This vulnerability affects the following AI/ML architecture patterns: Edge AI/IoT inference, Model serving infrastructure, Mobile AI deployments, Model ingestion/conversion pipelines, AI SaaS platforms with model upload features.

Q: What is the CVSS score for CVE-2021-29595?

CVE-2021-29595 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

CISO Take

TFLite inference environments that load externally-sourced or user-supplied model files are exposed to crash or potential code execution via a trivially crafted model with block_size=0. Upgrade to TensorFlow 2.5.0 or applicable backport releases (2.4.2/2.3.3/2.2.3/2.1.4) immediately. Until patched, enforce cryptographic model file signatures and run inference in isolated processes to contain blast radius.

Risk Assessment

CVSS 7.8 High with local attack vector, but practical risk escalates significantly in pipelines that ingest third-party or user-supplied TFLite models—common in model marketplaces, AI SaaS platforms, and edge deployment toolchains. The exploit primitive is trivially crafted (set block_size=0 in a model flatbuffer), though delivery requires positioning in the model supply chain. CVSS C:H/I:H/A:H scoring indicates potential beyond simple DoS, including memory corruption pathways to code execution.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.5.0 or backport releases 2.4.2/2.3.3/2.2.3/2.1.4 — commit 106d8f4 contains the fix.
VALIDATE

Implement pre-inference model validation rejecting DepthToSpace operators with block_size <= 0 before execution.
SANDBOX

Run TFLite inference in isolated containers or processes with minimal privileges to contain crash or exploitation impact.
TRUST BOUNDARIES

Only load TFLite model files with verified cryptographic signatures from trusted registries; reject unsigned or externally-sourced models.
DETECT

Alert on unexpected process crashes/segfaults in inference workers; audit model provenance logs for anomalous sources.

Classification

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system for high-risk AI systems

ISO 42001

A.6.2 - AI system supplier relationships and third-party components

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management over the AI lifecycle

Frequently Asked Questions

What is CVE-2021-29595?

TFLite inference environments that load externally-sourced or user-supplied model files are exposed to crash or potential code execution via a trivially crafted model with block_size=0. Upgrade to TensorFlow 2.5.0 or applicable backport releases (2.4.2/2.3.3/2.2.3/2.1.4) immediately. Until patched, enforce cryptographic model file signatures and run inference in isolated processes to contain blast radius.

Is CVE-2021-29595 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29595, increasing the risk of exploitation.

How to fix CVE-2021-29595?

1. PATCH: Upgrade to TensorFlow 2.5.0 or backport releases 2.4.2/2.3.3/2.2.3/2.1.4 — commit 106d8f4 contains the fix. 2. VALIDATE: Implement pre-inference model validation rejecting DepthToSpace operators with block_size <= 0 before execution. 3. SANDBOX: Run TFLite inference in isolated containers or processes with minimal privileges to contain crash or exploitation impact. 4. TRUST BOUNDARIES: Only load TFLite model files with verified cryptographic signatures from trusted registries; reject unsigned or externally-sourced models. 5. DETECT: Alert on unexpected process crashes/segfaults in inference workers; audit model provenance logs for anomalous sources.

What systems are affected by CVE-2021-29595?

This vulnerability affects the following AI/ML architecture patterns: Edge AI/IoT inference, Model serving infrastructure, Mobile AI deployments, Model ingestion/conversion pipelines, AI SaaS platforms with model upload features.

What is the CVSS score for CVE-2021-29595?

CVE-2021-29595 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthToSpace` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/depth_to_space.cc#L63-L69). An attacker can craft a model such that `params->block_size` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to the model distribution path (compromised model registry, malicious third-party supplier, or attacker with upload access to an AI platform) crafts a TFLite flatbuffer file containing a DepthToSpace operator with block_size set to 0. When the target inference service loads and executes this model for a routine prediction request, the division-by-zero triggers. In a crash-only scenario, this produces a reliable DoS on inference endpoints. In environments with exploitable memory layout, the arithmetic fault may be leveraged for controlled memory corruption, potentially enabling RCE within the inference worker process—which in containerized ML serving stacks can pivot to further lateral movement or data exfiltration.