CVE-2021-29598 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any pipeline that loads externally sourced TFLite models—mobile apps, edge devices, model validation services—is exposed to high-impact exploitation via a single crafted .tflite file. Patch to TensorFlow 2.5.0 or apply the available backports for 2.1.x–2.4.x immediately. If upgrading is not immediate, sandbox or reject SVDF-based models from untrusted sources.

Risk Assessment

CVSS 7.8 (High) with local attack vector and low complexity. Practical risk is elevated beyond the local-access label: any application that ingests TFLite models from external sources (model marketplaces, user uploads, public checkpoints, CI/CD pipelines) effectively exposes a remote attack surface. CVSS impact scores of C:H/I:H/A:H signal potential for full process compromise, not merely a crash, making this more severe than a typical DoS.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick the fix to 2.1.4, 2.2.3, 2.3.3, or 2.4.2. Commit: 6841e522a3e7d48706a02e8819836e809f738682.
Model validation: Validate operator parameters (including rank > 0) in a sandboxed process before production inference.
Supply chain controls: Enforce model provenance checks and restrict loading of externally sourced TFLite models to verified, signed artifacts.
Detection: Monitor inference processes for unexpected terminations or OOM signals—indicators of crash-inducing payloads.
Inventory: Audit all services consuming TFLite models from public registries or user input and prioritize patching based on exposure.

Classification

Code Execution DoS Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1 - AI system security

NIST AI RMF

MANAGE 1.3 - Responses to identified AI risks and incidents MEASURE 2.5 - Testing, evaluation, verification and validation of AI systems

Frequently Asked Questions

What is CVE-2021-29598?

Any pipeline that loads externally sourced TFLite models—mobile apps, edge devices, model validation services—is exposed to high-impact exploitation via a single crafted .tflite file. Patch to TensorFlow 2.5.0 or apply the available backports for 2.1.x–2.4.x immediately. If upgrading is not immediate, sandbox or reject SVDF-based models from untrusted sources.

Is CVE-2021-29598 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29598, increasing the risk of exploitation.

How to fix CVE-2021-29598?

1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick the fix to 2.1.4, 2.2.3, 2.3.3, or 2.4.2. Commit: 6841e522a3e7d48706a02e8819836e809f738682. 2. Model validation: Validate operator parameters (including rank > 0) in a sandboxed process before production inference. 3. Supply chain controls: Enforce model provenance checks and restrict loading of externally sourced TFLite models to verified, signed artifacts. 4. Detection: Monitor inference processes for unexpected terminations or OOM signals—indicators of crash-inducing payloads. 5. Inventory: Audit all services consuming TFLite models from public registries or user input and prioritize patching based on exposure.

What systems are affected by CVE-2021-29598?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge AI inference, mobile ML inference, training pipelines.

What is the CVSS score for CVE-2021-29598?

CVE-2021-29598 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `SVDF` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/7f283ff806b2031f407db64c4d3edcda8fb9f9f5/tensorflow/lite/kernels/svdf.cc#L99-L102). An attacker can craft a model such that `params->rank` would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an edge AI deployment—for example, an on-device voice assistant or anomaly detection service—crafts a TFLite model where the SVDF layer's rank parameter is explicitly set to 0. The adversary uploads this model to a public model hub or distributes it through a compromised internal model registry. When the victim application loads and runs inference, the division by zero in svdf.cc:99-102 fires. Depending on runtime, OS, and memory layout, this escalates from a reliable crash (DoS) to potential arbitrary code execution within the inference process, with CVSS impact scores confirming the high ceiling. A secondary supply chain variant involves publishing the poisoned model to popular open-source repositories where ML teams pull checkpoints automatically.