AI Threat Alert AI Threat Alert

CVE-2021-29603: TensorFlow TFLite: heap OOB write via malformed model

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A specially crafted TFLite model file triggers a heap out-of-bounds write in ArgMin/ArgMax operators, enabling potential code execution on inference hosts. Organizations deploying TFLite for mobile, edge, or server-side inference—particularly those that auto-update model files from external sources—face meaningful supply chain risk. Patch to TensorFlow 2.5.0 or cherry-pick the fix to affected branches (2.1.4/2.2.3/2.3.3/2.4.2) and enforce cryptographic model signing immediately.

Risk Assessment

CVSS 7.8 (High) with local attack vector and low complexity is deceptive: in automated ML inference pipelines that load externally sourced TFLite models, 'local' maps to any process that can inject a model file, lowering the effective bar significantly. No user interaction required means exploitation can be fully automated. Not in CISA KEV and 2021 vintage reduces immediate urgency, but unpatched TFLite deployments—common in legacy edge and mobile AI systems—remain persistently exposed. The absence of EPSS data and lack of known active exploitation keep this at elevated-but-not-critical priority.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick commit c59c37e7b2d563967da813fa50fe20b21f4da683 into supported branches (2.1.4, 2.2.3, 2.3.3, 2.4.2).

  2. Model provenance: Enforce cryptographic signing and signature verification for all TFLite model files prior to loading—reject any unsigned or unverifiable artifact.

  3. Sandbox inference: Run TFLite inference in isolated processes or containers with minimal OS privileges to contain blast radius from memory corruption exploits.

  4. Input validation: Validate operator axis parameters against tensor dimensions at model load time as a defense-in-depth layer.

  5. Dependency audit: Scan all internal systems for TFLite library versions predating 2.5.0 using SCA tools; prioritize edge and embedded deployments that may not follow standard patch cycles.

  6. Detection: Alert on abnormal crashes, segfaults, or memory errors in TFLite inference workers as potential indicators of exploitation attempts.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0010.003 AML.T0011.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
GOVERN-1.7 - Policies and procedures for AI risk governance MANAGE-2.2 - Mechanisms to sustain and improve AI risk management

Frequently Asked Questions

What is CVE-2021-29603?

A specially crafted TFLite model file triggers a heap out-of-bounds write in ArgMin/ArgMax operators, enabling potential code execution on inference hosts. Organizations deploying TFLite for mobile, edge, or server-side inference—particularly those that auto-update model files from external sources—face meaningful supply chain risk. Patch to TensorFlow 2.5.0 or cherry-pick the fix to affected branches (2.1.4/2.2.3/2.3.3/2.4.2) and enforce cryptographic model signing immediately.

Is CVE-2021-29603 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29603, increasing the risk of exploitation.

How to fix CVE-2021-29603?

1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick commit c59c37e7b2d563967da813fa50fe20b21f4da683 into supported branches (2.1.4, 2.2.3, 2.3.3, 2.4.2). 2. Model provenance: Enforce cryptographic signing and signature verification for all TFLite model files prior to loading—reject any unsigned or unverifiable artifact. 3. Sandbox inference: Run TFLite inference in isolated processes or containers with minimal OS privileges to contain blast radius from memory corruption exploits. 4. Input validation: Validate operator axis parameters against tensor dimensions at model load time as a defense-in-depth layer. 5. Dependency audit: Scan all internal systems for TFLite library versions predating 2.5.0 using SCA tools; prioritize edge and embedded deployments that may not follow standard patch cycles. 6. Detection: Alert on abnormal crashes, segfaults, or memory errors in TFLite inference workers as potential indicators of exploitation attempts.

What systems are affected by CVE-2021-29603?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile ML deployment, model serving, CI/CD ML pipelines, on-device AI.

What is the CVSS score for CVE-2021-29603?

CVE-2021-29603 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB write on heap in the TFLite implementation of `ArgMin`/`ArgMax`(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/arg_min_max.cc#L52-L59). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the condition in the `if` is never true, so code writes past the last valid element of `output_dims->data`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization with an edge AI deployment—such as a smart camera system or on-device fraud detection model—identifies that the organization pulls TFLite model updates from a third-party model provider or a public model hub without signature verification. The adversary compromises the model distribution endpoint or publishes a poisoned model to a repository the target trusts. The crafted .tflite file contains an ArgMin or ArgMax operator with an axis_value outside [0, NumDimensions(input)]. When the inference runtime loads and executes the model, it writes beyond the last valid element of the output dimensions array on the heap, corrupting adjacent allocations. With a pre-crafted heap spray layout, this is escalated to controlled code execution on the edge device, enabling persistent access, exfiltration of inference inputs (potentially PII from sensor data), or lateral movement into the broader network.

Weaknesses (CWE)

CWE-787

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed