AI Threat Alert

CVE-2021-29603: TensorFlow TFLite: heap OOB write via malformed model

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A specially crafted TFLite model file triggers a heap out-of-bounds write in ArgMin/ArgMax operators, enabling potential code execution on inference hosts. Organizations deploying TFLite for mobile, edge, or server-side inference—particularly those that auto-update model files from external sources—face meaningful supply chain risk. Patch to TensorFlow 2.5.0 or cherry-pick the fix to affected branches (2.1.4/2.2.3/2.3.3/2.4.2) and enforce cryptographic model signing immediately.

What is the risk?

CVSS 7.8 (High) with local attack vector and low complexity is deceptive: in automated ML inference pipelines that load externally sourced TFLite models, 'local' maps to any process that can inject a model file, lowering the effective bar significantly. No user interaction required means exploitation can be fully automated. Not in CISA KEV and 2021 vintage reduces immediate urgency, but unpatched TFLite deployments—common in legacy edge and mobile AI systems—remain persistently exposed. The absence of EPSS data and lack of known active exploitation keep this at elevated-but-not-critical priority.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick commit c59c37e7b2d563967da813fa50fe20b21f4da683 into supported branches (2.1.4, 2.2.3, 2.3.3, 2.4.2).

  2. Model provenance: Enforce cryptographic signing and signature verification for all TFLite model files prior to loading—reject any unsigned or unverifiable artifact.

  3. Sandbox inference: Run TFLite inference in isolated processes or containers with minimal OS privileges to contain blast radius from memory corruption exploits.

  4. Input validation: Validate operator axis parameters against tensor dimensions at model load time as a defense-in-depth layer.

  5. Dependency audit: Scan all internal systems for TFLite library versions predating 2.5.0 using SCA tools; prioritize edge and embedded deployments that may not follow standard patch cycles.

  6. Detection: Alert on abnormal crashes, segfaults, or memory errors in TFLite inference workers as potential indicators of exploitation attempts.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0010.003 AML.T0011.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
GOVERN-1.7 - Policies and procedures for AI risk governance MANAGE-2.2 - Mechanisms to sustain and improve AI risk management

Frequently Asked Questions

What is CVE-2021-29603?

A specially crafted TFLite model file triggers a heap out-of-bounds write in ArgMin/ArgMax operators, enabling potential code execution on inference hosts. Organizations deploying TFLite for mobile, edge, or server-side inference—particularly those that auto-update model files from external sources—face meaningful supply chain risk. Patch to TensorFlow 2.5.0 or cherry-pick the fix to affected branches (2.1.4/2.2.3/2.3.3/2.4.2) and enforce cryptographic model signing immediately.

Is CVE-2021-29603 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29603, increasing the risk of exploitation.

How to fix CVE-2021-29603?

1. Patch: Upgrade to TensorFlow 2.5.0 or cherry-pick commit c59c37e7b2d563967da813fa50fe20b21f4da683 into supported branches (2.1.4, 2.2.3, 2.3.3, 2.4.2). 2. Model provenance: Enforce cryptographic signing and signature verification for all TFLite model files prior to loading—reject any unsigned or unverifiable artifact. 3. Sandbox inference: Run TFLite inference in isolated processes or containers with minimal OS privileges to contain blast radius from memory corruption exploits. 4. Input validation: Validate operator axis parameters against tensor dimensions at model load time as a defense-in-depth layer. 5. Dependency audit: Scan all internal systems for TFLite library versions predating 2.5.0 using SCA tools; prioritize edge and embedded deployments that may not follow standard patch cycles. 6. Detection: Alert on abnormal crashes, segfaults, or memory errors in TFLite inference workers as potential indicators of exploitation attempts.

What systems are affected by CVE-2021-29603?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile ML deployment, model serving, CI/CD ML pipelines, on-device AI.

What is the CVSS score for CVE-2021-29603?

CVE-2021-29603 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

edge inferencemobile ML deploymentmodel servingCI/CD ML pipelineson-device AI

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN-1.7, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB write on heap in the TFLite implementation of `ArgMin`/`ArgMax`(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/arg_min_max.cc#L52-L59). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the condition in the `if` is never true, so code writes past the last valid element of `output_dims->data`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization with an edge AI deployment—such as a smart camera system or on-device fraud detection model—identifies that the organization pulls TFLite model updates from a third-party model provider or a public model hub without signature verification. The adversary compromises the model distribution endpoint or publishes a poisoned model to a repository the target trusts. The crafted .tflite file contains an ArgMin or ArgMax operator with an axis_value outside [0, NumDimensions(input)]. When the inference runtime loads and executes the model, it writes beyond the last valid element of the output dimensions array on the heap, corrupting adjacent allocations. With a pre-crafted heap spray layout, this is escalated to controlled code execution on the edge device, enabling persistent access, exfiltration of inference inputs (potentially PII from sensor data), or lateral movement into the broader network.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed