CVE-2021-29600 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any environment loading externally-sourced or user-supplied TFLite models is exposed to a crash or potential code execution through a specially crafted model file. Patch TensorFlow to 2.5.0+, or apply the targeted cherrypick for supported 2.1.x–2.4.x branches. Enforce strict model provenance controls: only load TFLite models from signed, internal sources.

Risk Assessment

CVSS 7.8 High with local attack vector, but 'local' in TFLite context means any process that loads the model — including mobile apps, edge devices, and server-side inference services consuming externally-provided model files. The C/I/A impact is all-High, suggesting potential memory corruption beyond a simple crash. Low attack complexity and no user interaction required elevate practical exploitability. Not in CISA KEV; no confirmed active exploitation as of enrichment date, reducing urgency slightly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.5.0+, or cherrypick commit 3ebedd7e to TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
VALIDATE INPUT

Before loading any TFLite model, verify all operator tensor shapes — reject models where any dimension of OneHot indices is 0.
ENFORCE PROVENANCE

Only load TFLite models from cryptographically signed, internally audited sources. Block loading of arbitrary model files in production inference services.
SANDBOX

Run TFLite inference in isolated processes or containers to limit blast radius if triggered.
DETECT

Monitor for abnormal process crashes in inference services; a sudden uptick in SIGFPE or SIGABRT signals in TF processes is a detection indicator.

Classification

DoS Code Execution Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2.5 - AI system verification and validation

NIST AI RMF

GOVERN-5.2 - Organizational risk tolerance for AI supply chain MANAGE-2.4 - Residual risks from third-party AI infrastructure

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29600?

Any environment loading externally-sourced or user-supplied TFLite models is exposed to a crash or potential code execution through a specially crafted model file. Patch TensorFlow to 2.5.0+, or apply the targeted cherrypick for supported 2.1.x–2.4.x branches. Enforce strict model provenance controls: only load TFLite models from signed, internal sources.

Is CVE-2021-29600 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29600, increasing the risk of exploitation.

How to fix CVE-2021-29600?

1. PATCH: Upgrade to TensorFlow 2.5.0+, or cherrypick commit 3ebedd7e to TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. VALIDATE INPUT: Before loading any TFLite model, verify all operator tensor shapes — reject models where any dimension of OneHot indices is 0. 3. ENFORCE PROVENANCE: Only load TFLite models from cryptographically signed, internally audited sources. Block loading of arbitrary model files in production inference services. 4. SANDBOX: Run TFLite inference in isolated processes or containers to limit blast radius if triggered. 5. DETECT: Monitor for abnormal process crashes in inference services; a sudden uptick in SIGFPE or SIGABRT signals in TF processes is a detection indicator.

What systems are affected by CVE-2021-29600?

This vulnerability affects the following AI/ML architecture patterns: TFLite mobile inference, edge AI inference, model serving, training pipelines, CI/CD model validation.

What is the CVSS score for CVE-2021-29600?

CVE-2021-29600 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `OneHot` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/f61c57bd425878be108ec787f4d96390579fb83e/tensorflow/lite/kernels/one_hot.cc#L68-L72). An attacker can craft a model such that at least one of the dimensions of `indices` would be 0. In turn, the `prefix_dim_size` value would become 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to the model distribution channel (supply chain compromise, malicious model repo, social engineering targeting an ML engineer) publishes a TFLite model containing an OneHot operator where the indices tensor has at least one dimension set to zero. When a mobile app, edge device, or inference server loads this model, TFLite's one_hot.cc computes prefix_dim_size = 0 and immediately divides by it. The crash terminates the inference process. With deeper exploitation of the resulting memory corruption, an attacker could achieve code execution in the context of the serving process — particularly impactful in server-side deployments running with elevated privileges.