AI Threat Alert

CVE-2021-29602: TensorFlow TFLite: DepthwiseConv division-by-zero DoS

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

A crafted TFLite model with a zero-valued fourth input dimension crashes the DepthwiseConv operator, enabling denial-of-service in any inference pipeline loading untrusted models. Patch immediately to TF 2.5.0 or the backported fixes (2.4.2, 2.3.3, 2.2.3, 2.1.4). If you run edge/mobile AI workloads or accept externally-supplied TFLite models, treat this as higher priority than the CVSS score suggests.

What is the risk?

Medium severity with localized DoS impact. CVSS 5.5 reflects local attack vector and availability-only impact. However, risk escalates significantly in edge deployments, CI/CD model evaluation pipelines, or any system that loads TFLite models from external or user-supplied sources — all of which are common in MLOps. Exploitation is trivial: no deep ML expertise needed, just crafting a model with a zero fourth dimension. Not in CISA KEV and no evidence of active exploitation, but the low attack complexity keeps this relevant for unpatched systems.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 9% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.5.0. For pinned versions, apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (all officially cherrypicked by Google).

  2. Workaround: Validate TFLite model tensor shapes before inference — reject any model where input tensor dimensions contain zero values.

  3. Defense-in-depth: Isolate TFLite inference processes (containerize, sandbox) so a crash does not cascade to the host or other services.

  4. Supply chain: Enforce model provenance checks — only load models from trusted, signed sources. Reject externally-supplied models in production without validation.

  5. Detection: Monitor for abnormal inference process crashes or OOM/SIGFPE signals in inference workers.

How is it classified?

DoS Framework Inference AML.T0011.000 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system input validation and robustness
NIST AI RMF
GOVERN 1.2 - Policies, processes and practices are in place to address AI risks MANAGE 2.2 - Mechanisms to sustain deployment-phase risks are in place

Frequently Asked Questions

What is CVE-2021-29602?

A crafted TFLite model with a zero-valued fourth input dimension crashes the DepthwiseConv operator, enabling denial-of-service in any inference pipeline loading untrusted models. Patch immediately to TF 2.5.0 or the backported fixes (2.4.2, 2.3.3, 2.2.3, 2.1.4). If you run edge/mobile AI workloads or accept externally-supplied TFLite models, treat this as higher priority than the CVSS score suggests.

Is CVE-2021-29602 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29602, increasing the risk of exploitation.

How to fix CVE-2021-29602?

1. Patch: Upgrade to TensorFlow 2.5.0. For pinned versions, apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (all officially cherrypicked by Google). 2. Workaround: Validate TFLite model tensor shapes before inference — reject any model where input tensor dimensions contain zero values. 3. Defense-in-depth: Isolate TFLite inference processes (containerize, sandbox) so a crash does not cascade to the host or other services. 4. Supply chain: Enforce model provenance checks — only load models from trusted, signed sources. Reject externally-supplied models in production without validation. 5. Detection: Monitor for abnormal inference process crashes or OOM/SIGFPE signals in inference workers.

What systems are affected by CVE-2021-29602?

This vulnerability affects the following AI/ML architecture patterns: edge AI inference, TFLite mobile and embedded deployments, model serving pipelines, MLOps CI/CD model evaluation, federated learning edge nodes.

What is the CVSS score for CVE-2021-29602?

CVE-2021-29602 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

edge AI inferenceTFLite mobile and embedded deploymentsmodel serving pipelinesMLOps CI/CD model evaluationfederated learning edge nodes

MITRE ATLAS Techniques

AML.T0011.000 Unsafe AI Artifacts
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: GOVERN 1.2, MANAGE 2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthwiseConv` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/depthwise_conv.cc#L287-L288). An attacker can craft a model such that `input`'s fourth dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targets an organization running a TFLite-based model serving pipeline or a CI/CD system that auto-evaluates contributed models. The attacker crafts a minimally modified TFLite model file where the DepthwiseConv input tensor's fourth dimension is set to 0. When this model is loaded and executed, the kernel attempts to divide by the zero dimension at line 287-288 of depthwise_conv.cc, triggering a SIGFPE crash. In an automated ML pipeline (e.g., model validation before deployment), this crashes the evaluation worker and may block the pipeline. In a model-as-a-service deployment, repeated submission of such models constitutes a sustained DoS against the inference endpoint.

Weaknesses (CWE)

CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed