CVE-2021-29604 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

An adversary can craft a malicious .tflite model file with a zero-dimension values tensor to crash TensorFlow Lite's inference process. Primary risk is in deployments that load models from external or untrusted sources — mobile apps, edge devices, or model-serving APIs accepting user-submitted models. Patch to TF 2.5.0 (or backports to 2.4.2/2.3.3/2.2.3/2.1.4) and enforce model provenance controls immediately.

Risk Assessment

Medium risk (CVSS 5.5, local vector). Exploitation is straightforward — crafting a malformed .tflite model requires only basic TFLite knowledge, making this trivially reproducible. Impact is limited to availability (availability:high, no confidentiality or integrity impact per CVSS vector). Exposure is highest where external model files are ingested at runtime; internal-only, signed model pipelines reduce risk significantly. Not in CISA KEV; no evidence of active exploitation in the wild.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.5.0 or apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 5117e08).
Model provenance: enforce cryptographic signing and verification of all .tflite model files before loading; reject unsigned or unrecognized models.
Input validation: add pre-load schema checks validating that tensor dimensions are non-zero before invoking TFLite kernels.
Isolation: run TFLite inference in sandboxed processes so a crash does not affect the broader application or service availability.
Detection: monitor for abnormal inference process terminations or crash dumps referencing hashtable_lookup.cc; correlate with recent model file changes or downloads.

Classification

DoS Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system for high-risk AI

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2021-29604?

An adversary can craft a malicious .tflite model file with a zero-dimension values tensor to crash TensorFlow Lite's inference process. Primary risk is in deployments that load models from external or untrusted sources — mobile apps, edge devices, or model-serving APIs accepting user-submitted models. Patch to TF 2.5.0 (or backports to 2.4.2/2.3.3/2.2.3/2.1.4) and enforce model provenance controls immediately.

Is CVE-2021-29604 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29604, increasing the risk of exploitation.

How to fix CVE-2021-29604?

1. Patch: upgrade to TensorFlow 2.5.0 or apply backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 5117e08). 2. Model provenance: enforce cryptographic signing and verification of all .tflite model files before loading; reject unsigned or unrecognized models. 3. Input validation: add pre-load schema checks validating that tensor dimensions are non-zero before invoking TFLite kernels. 4. Isolation: run TFLite inference in sandboxed processes so a crash does not affect the broader application or service availability. 5. Detection: monitor for abnormal inference process terminations or crash dumps referencing hashtable_lookup.cc; correlate with recent model file changes or downloads.

What systems are affected by CVE-2021-29604?

This vulnerability affects the following AI/ML architecture patterns: edge inference, model serving, mobile ML deployment, on-device AI pipelines.

What is the CVSS score for CVE-2021-29604?

CVE-2021-29604 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of hashtable lookup is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/hashtable_lookup.cc#L114-L115) An attacker can craft a model such that `values`'s first dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with write access to a model distribution channel — a compromised model update CDN, a model marketplace listing, or an OTA update endpoint for an edge device fleet — publishes a crafted .tflite model where the hashtable lookup values tensor has a first dimension of 0. When target devices pull and execute the model during normal inference, the division-by-zero in the TFLite kernel crashes the inference engine. For a fleet of smart cameras or industrial IoT devices running TFLite, this constitutes a scalable, remotely-triggered DoS against AI inference capability with no code execution required beyond model delivery.