AI Threat Alert

CVE-2021-29604: TFLite: DoS via division by zero in hashtable lookup

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

An adversary can craft a malicious .tflite model file with a zero-dimension values tensor to crash TensorFlow Lite's inference process. Primary risk is in deployments that load models from external or untrusted sources — mobile apps, edge devices, or model-serving APIs accepting user-submitted models. Patch to TF 2.5.0 (or backports to 2.4.2/2.3.3/2.2.3/2.1.4) and enforce model provenance controls immediately.

What is the risk?

Medium risk (CVSS 5.5, local vector). Exploitation is straightforward — crafting a malformed .tflite model requires only basic TFLite knowledge, making this trivially reproducible. Impact is limited to availability (availability:high, no confidentiality or integrity impact per CVSS vector). Exposure is highest where external model files are ingested at runtime; internal-only, signed model pipelines reduce risk significantly. Not in CISA KEV; no evidence of active exploitation in the wild.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 9% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: upgrade to TensorFlow 2.5.0 or apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 5117e08).

  2. Model provenance: enforce cryptographic signing and verification of all .tflite model files before loading; reject unsigned or unrecognized models.

  3. Input validation: add pre-load schema checks validating that tensor dimensions are non-zero before invoking TFLite kernels.

  4. Isolation: run TFLite inference in sandboxed processes so a crash does not affect the broader application or service availability.

  5. Detection: monitor for abnormal inference process terminations or crash dumps referencing hashtable_lookup.cc; correlate with recent model file changes or downloads.

How is it classified?

DoS Supply Chain Framework Inference Model AML.T0010.001 AML.T0011.000 AML.T0029

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system for high-risk AI
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2021-29604?

An adversary can craft a malicious .tflite model file with a zero-dimension values tensor to crash TensorFlow Lite's inference process. Primary risk is in deployments that load models from external or untrusted sources — mobile apps, edge devices, or model-serving APIs accepting user-submitted models. Patch to TF 2.5.0 (or backports to 2.4.2/2.3.3/2.2.3/2.1.4) and enforce model provenance controls immediately.

Is CVE-2021-29604 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29604, increasing the risk of exploitation.

How to fix CVE-2021-29604?

1. Patch: upgrade to TensorFlow 2.5.0 or apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 5117e08). 2. Model provenance: enforce cryptographic signing and verification of all .tflite model files before loading; reject unsigned or unrecognized models. 3. Input validation: add pre-load schema checks validating that tensor dimensions are non-zero before invoking TFLite kernels. 4. Isolation: run TFLite inference in sandboxed processes so a crash does not affect the broader application or service availability. 5. Detection: monitor for abnormal inference process terminations or crash dumps referencing hashtable_lookup.cc; correlate with recent model file changes or downloads.

What systems are affected by CVE-2021-29604?

This vulnerability affects the following AI/ML architecture patterns: edge inference, model serving, mobile ML deployment, on-device AI pipelines.

What is the CVSS score for CVE-2021-29604?

CVE-2021-29604 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

edge inferencemodel servingmobile ML deploymenton-device AI pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0029 Denial of AI Service

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: MANAGE 2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of hashtable lookup is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/hashtable_lookup.cc#L114-L115) An attacker can craft a model such that `values`'s first dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with write access to a model distribution channel — a compromised model update CDN, a model marketplace listing, or an OTA update endpoint for an edge device fleet — publishes a crafted .tflite model where the hashtable lookup values tensor has a first dimension of 0. When target devices pull and execute the model during normal inference, the division-by-zero in the TFLite kernel crashes the inference engine. For a fleet of smart cameras or industrial IoT devices running TFLite, this constitutes a scalable, remotely-triggered DoS against AI inference capability with no code execution required beyond model delivery.

Weaknesses (CWE)

CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed