AI Threat Alert AI Threat Alert

CVE-2021-29606: TensorFlow Lite: OOB read via crafted TFLite model

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

If your organization deploys TFLite models at the edge or in mobile/embedded inference pipelines, patch immediately to TF 2.5.0 (or the relevant backport). The real risk is supply chain: a malicious or tampered TFLite model loaded by a vulnerable runtime can trigger heap OOB read leading to C/I/A compromise. Audit all untrusted model sources and enforce model provenance controls.

Risk Assessment

CVSS 7.8 High with local attack vector reduces internet-facing exposure, but in AI/ML pipelines that load third-party, user-uploaded, or unvalidated TFLite models the effective attack surface widens significantly. Low attack complexity (AC:L) means exploitation is straightforward once a malicious model is loaded. No confirmed active exploitation (not in KEV), but proof-of-concept exists via the GitHub advisory. Risk escalates in edge deployments, IoT, and mobile inference where model updates may arrive over untrusted channels.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0, or backports 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4.

  2. MODEL VALIDATION

    Before loading any TFLite model, validate axis values and tensor dimension bounds — reject models with out-of-range axis parameters in Split_V nodes.

  3. MODEL PROVENANCE

    Enforce cryptographic signing and verification of TFLite model artifacts in your deployment pipeline.

  4. SANDBOXING

    Run TFLite inference in sandboxed processes (seccomp, AppArmor, containers) to limit blast radius of memory corruption.

  5. DETECTION

    Monitor for crashes or abnormal memory access patterns in TFLite inference services; unusual OOM or segfault logs may indicate exploit attempts.

  6. DEPENDENCY SCAN

    Audit all containers, mobile apps, and edge firmware for bundled TF versions — many ship months-old TF builds.

Classification

Supply Chain Code Execution Data Extraction Framework Inference AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.2 - AI system testing and validation A.8.4 - AI supply chain management
NIST AI RMF
GOVERN-6.2 - Policies and procedures for AI risk in third-party components MS-2.5 - AI system testing for trustworthiness
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29606?

If your organization deploys TFLite models at the edge or in mobile/embedded inference pipelines, patch immediately to TF 2.5.0 (or the relevant backport). The real risk is supply chain: a malicious or tampered TFLite model loaded by a vulnerable runtime can trigger heap OOB read leading to C/I/A compromise. Audit all untrusted model sources and enforce model provenance controls.

Is CVE-2021-29606 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29606, increasing the risk of exploitation.

How to fix CVE-2021-29606?

1. PATCH: Upgrade to TensorFlow 2.5.0, or backports 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. 2. MODEL VALIDATION: Before loading any TFLite model, validate axis values and tensor dimension bounds — reject models with out-of-range axis parameters in Split_V nodes. 3. MODEL PROVENANCE: Enforce cryptographic signing and verification of TFLite model artifacts in your deployment pipeline. 4. SANDBOXING: Run TFLite inference in sandboxed processes (seccomp, AppArmor, containers) to limit blast radius of memory corruption. 5. DETECTION: Monitor for crashes or abnormal memory access patterns in TFLite inference services; unusual OOM or segfault logs may indicate exploit attempts. 6. DEPENDENCY SCAN: Audit all containers, mobile apps, and edge firmware for bundled TF versions — many ship months-old TF builds.

What systems are affected by CVE-2021-29606?

This vulnerability affects the following AI/ML architecture patterns: Edge ML inference (TFLite on IoT/mobile), Model serving pipelines, Model testing and conversion pipelines, Mobile ML applications (Android/iOS), OTA model update systems.

What is the CVSS score for CVE-2021-29606?

CVE-2021-29606 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB read on heap in the TFLite implementation of `Split_V`(https://github.com/tensorflow/tensorflow/blob/c59c37e7b2d563967da813fa50fe20b21f4da683/tensorflow/lite/kernels/split_v.cc#L99). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the `SizeOfDimension` function(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/kernel_util.h#L148-L150) will access data outside the bounds of the tensor shape array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization's edge ML pipeline crafts a TFLite model with a Split_V operation where axis_value is set to a value outside [0, NumDimensions(input)]. The model is injected via a compromised model registry, a malicious model marketplace upload, or a man-in-the-middle on an unencrypted OTA model update channel. When the vulnerable TFLite runtime loads and invokes the model for inference, SizeOfDimension accesses memory outside the tensor shape array bounds. Depending on heap layout, this leaks adjacent memory — potentially model weights, API keys, or session tokens stored in the same process — or triggers a crash used as part of a chained exploit for code execution on the inference device.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed