AI Threat Alert AI Threat Alert

CVE-2021-29601: TensorFlow Lite: integer overflow in model concatenation

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any TFLite deployment that loads models from external or user-controlled sources is exposed to memory corruption via a crafted model file. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately — edge AI, mobile, and IoT deployments are highest risk. Enforce cryptographic model signing to prevent unsigned model files from being loaded into production.

Risk Assessment

Moderate-high risk for organizations running TFLite at the edge or in mobile applications. The local attack vector (AV:L) requires delivering a malicious model to the target system — achievable via supply chain compromise, model repository poisoning, or insider threat. CVSS 7.1 reflects high integrity and availability impact. No confirmed exploitation in the wild and not in CISA KEV, but the exploit primitive (crafted model file) is straightforward once the overflow offset is calculated. Organizations converting TF models to TFLite in CI/CD pipelines face additional exposure if untrusted models enter the conversion workflow.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

Recommended Action

6 steps

  1. Upgrade TensorFlow to 2.5.0 or apply available backport patches for 2.4.2, 2.3.3, 2.2.3, and 2.1.4.

  2. Implement cryptographic model signing — only load TFLite models with verified signatures from trusted sources.

  3. Add a tensor dimension bounds validation layer before invoking TFLite model loading.

  4. Restrict model file sources to internally controlled, access-audited repositories; prohibit direct loading from external URLs or user uploads without sanitization.

  5. Enable OS-level memory corruption mitigations (ASLR, stack canaries, heap hardening) on all TFLite host processes.

  6. Monitor inference processes for abnormal crashes or memory errors as a detection signal for exploitation attempts.

Classification

Supply Chain Code Execution Framework Model Inference AML.T0010.003 AML.T0011.000 AML.T0018 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.10.2 - AI system design and development security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29601?

Any TFLite deployment that loads models from external or user-controlled sources is exposed to memory corruption via a crafted model file. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately — edge AI, mobile, and IoT deployments are highest risk. Enforce cryptographic model signing to prevent unsigned model files from being loaded into production.

Is CVE-2021-29601 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29601, increasing the risk of exploitation.

How to fix CVE-2021-29601?

1. Upgrade TensorFlow to 2.5.0 or apply available backport patches for 2.4.2, 2.3.3, 2.2.3, and 2.1.4. 2. Implement cryptographic model signing — only load TFLite models with verified signatures from trusted sources. 3. Add a tensor dimension bounds validation layer before invoking TFLite model loading. 4. Restrict model file sources to internally controlled, access-audited repositories; prohibit direct loading from external URLs or user uploads without sanitization. 5. Enable OS-level memory corruption mitigations (ASLR, stack canaries, heap hardening) on all TFLite host processes. 6. Monitor inference processes for abnormal crashes or memory errors as a detection signal for exploitation attempts.

What systems are affected by CVE-2021-29601?

This vulnerability affects the following AI/ML architecture patterns: edge AI / on-device inference, model serving, model conversion pipelines, training pipelines.

What is the CVSS score for CVE-2021-29601?

CVE-2021-29601 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd54bc3907daf6285/tensorflow/lite/kernels/concatenation.cc#L70-L76). An attacker can craft a model such that the dimensions of one of the concatenation input overflow the values of `int`. TFLite uses `int` to represent tensor dimensions, whereas TF uses `int64`. Hence, valid TF models can trigger an integer overflow when converted to TFLite format. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization deploying TFLite on edge devices (smart cameras, medical imaging devices, or mobile apps) crafts a malicious TFLite model with concatenation layer tensor dimensions set to values near INT_MAX. The crafted model is injected via supply chain compromise of the model distribution pipeline — e.g., poisoning a model registry or intercepting the OTA model update mechanism. When the edge device fetches and loads the model, the integer overflow triggers heap corruption inside the TFLite runtime. Depending on heap layout, this yields denial of service (device crash, requiring physical reset) or, with targeted heap grooming, arbitrary code execution within the inference process — providing initial foothold on the edge device for further lateral movement.

Weaknesses (CWE)

CWE-190

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed