CVE-2021-29601: TensorFlow integer overflow

CISO Take

Any TFLite deployment that loads models from external or user-controlled sources is exposed to memory corruption via a crafted model file. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately — edge AI, mobile, and IoT deployments are highest risk. Enforce cryptographic model signing to prevent unsigned model files from being loaded into production.

What is the risk?

Moderate-high risk for organizations running TFLite at the edge or in mobile applications. The local attack vector (AV:L) requires delivering a malicious model to the target system — achievable via supply chain compromise, model repository poisoning, or insider threat. CVSS 7.1 reflects high integrity and availability impact. No confirmed exploitation in the wild and not in CISA KEV, but the exploit primitive (crafted model file) is straightforward once the overflow offset is calculated. Organizations converting TF models to TFLite in CI/CD pipelines face additional exposure if untrusted models enter the conversion workflow.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

What should I do?

6 steps

Upgrade TensorFlow to 2.5.0 or apply available backport patches for 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
Implement cryptographic model signing — only load TFLite models with verified signatures from trusted sources.
Add a tensor dimension bounds validation layer before invoking TFLite model loading.
Restrict model file sources to internally controlled, access-audited repositories; prohibit direct loading from external URLs or user uploads without sanitization.
Enable OS-level memory corruption mitigations (ASLR, stack canaries, heap hardening) on all TFLite host processes.
Monitor inference processes for abnormal crashes or memory errors as a detection signal for exploitation attempts.

How is it classified?

Supply Chain Code Execution Framework Model Inference AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018 - Manipulate AI Model AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.10.2 - AI system design and development security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29601?

Any TFLite deployment that loads models from external or user-controlled sources is exposed to memory corruption via a crafted model file. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately — edge AI, mobile, and IoT deployments are highest risk. Enforce cryptographic model signing to prevent unsigned model files from being loaded into production.

Is CVE-2021-29601 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29601, increasing the risk of exploitation.

How to fix CVE-2021-29601?

1. Upgrade TensorFlow to 2.5.0 or apply available backport patches for 2.4.2, 2.3.3, 2.2.3, and 2.1.4. 2. Implement cryptographic model signing — only load TFLite models with verified signatures from trusted sources. 3. Add a tensor dimension bounds validation layer before invoking TFLite model loading. 4. Restrict model file sources to internally controlled, access-audited repositories; prohibit direct loading from external URLs or user uploads without sanitization. 5. Enable OS-level memory corruption mitigations (ASLR, stack canaries, heap hardening) on all TFLite host processes. 6. Monitor inference processes for abnormal crashes or memory errors as a detection signal for exploitation attempts.

What systems are affected by CVE-2021-29601?

This vulnerability affects the following AI/ML architecture patterns: edge AI / on-device inference, model serving, model conversion pipelines, training pipelines.

What is the CVSS score for CVE-2021-29601?

CVE-2021-29601 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

edge AI / on-device inferencemodel servingmodel conversion pipelinestraining pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018 Manipulate AI Model

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.10.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd54bc3907daf6285/tensorflow/lite/kernels/concatenation.cc#L70-L76). An attacker can craft a model such that the dimensions of one of the concatenation input overflow the values of `int`. TFLite uses `int` to represent tensor dimensions, whereas TF uses `int64`. Hence, valid TF models can trigger an integer overflow when converted to TFLite format. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization deploying TFLite on edge devices (smart cameras, medical imaging devices, or mobile apps) crafts a malicious TFLite model with concatenation layer tensor dimensions set to values near INT_MAX. The crafted model is injected via supply chain compromise of the model distribution pipeline — e.g., poisoning a model registry or intercepting the OTA model update mechanism. When the edge device fetches and loads the model, the integer overflow triggers heap corruption inside the TFLite runtime. Depending on heap layout, this yields denial of service (device crash, requiring physical reset) or, with targeted heap grooming, arbitrary code execution within the inference process — providing initial foothold on the edge device for further lateral movement.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

[Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.