AI Threat Alert

CVE-2021-29606: TensorFlow Lite: OOB read via crafted TFLite model

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

If your organization deploys TFLite models at the edge or in mobile/embedded inference pipelines, patch immediately to TF 2.5.0 (or the relevant backport). The real risk is supply chain: a malicious or tampered TFLite model loaded by a vulnerable runtime can trigger heap OOB read leading to C/I/A compromise. Audit all untrusted model sources and enforce model provenance controls.

What is the risk?

CVSS 7.8 High with local attack vector reduces internet-facing exposure, but in AI/ML pipelines that load third-party, user-uploaded, or unvalidated TFLite models the effective attack surface widens significantly. Low attack complexity (AC:L) means exploitation is straightforward once a malicious model is loaded. No confirmed active exploitation (not in KEV), but proof-of-concept exists via the GitHub advisory. Risk escalates in edge deployments, IoT, and mobile inference where model updates may arrive over untrusted channels.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0, or backports 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4.

  2. MODEL VALIDATION

    Before loading any TFLite model, validate axis values and tensor dimension bounds — reject models with out-of-range axis parameters in Split_V nodes.

  3. MODEL PROVENANCE

    Enforce cryptographic signing and verification of TFLite model artifacts in your deployment pipeline.

  4. SANDBOXING

    Run TFLite inference in sandboxed processes (seccomp, AppArmor, containers) to limit blast radius of memory corruption.

  5. DETECTION

    Monitor for crashes or abnormal memory access patterns in TFLite inference services; unusual OOM or segfault logs may indicate exploit attempts.

  6. DEPENDENCY SCAN

    Audit all containers, mobile apps, and edge firmware for bundled TF versions — many ship months-old TF builds.

How is it classified?

Supply Chain Code Execution Data Extraction Framework Inference AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.2 - AI system testing and validation A.8.4 - AI supply chain management
NIST AI RMF
GOVERN-6.2 - Policies and procedures for AI risk in third-party components MS-2.5 - AI system testing for trustworthiness
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29606?

If your organization deploys TFLite models at the edge or in mobile/embedded inference pipelines, patch immediately to TF 2.5.0 (or the relevant backport). The real risk is supply chain: a malicious or tampered TFLite model loaded by a vulnerable runtime can trigger heap OOB read leading to C/I/A compromise. Audit all untrusted model sources and enforce model provenance controls.

Is CVE-2021-29606 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29606, increasing the risk of exploitation.

How to fix CVE-2021-29606?

1. PATCH: Upgrade to TensorFlow 2.5.0, or backports 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. 2. MODEL VALIDATION: Before loading any TFLite model, validate axis values and tensor dimension bounds — reject models with out-of-range axis parameters in Split_V nodes. 3. MODEL PROVENANCE: Enforce cryptographic signing and verification of TFLite model artifacts in your deployment pipeline. 4. SANDBOXING: Run TFLite inference in sandboxed processes (seccomp, AppArmor, containers) to limit blast radius of memory corruption. 5. DETECTION: Monitor for crashes or abnormal memory access patterns in TFLite inference services; unusual OOM or segfault logs may indicate exploit attempts. 6. DEPENDENCY SCAN: Audit all containers, mobile apps, and edge firmware for bundled TF versions — many ship months-old TF builds.

What systems are affected by CVE-2021-29606?

This vulnerability affects the following AI/ML architecture patterns: Edge ML inference (TFLite on IoT/mobile), Model serving pipelines, Model testing and conversion pipelines, Mobile ML applications (Android/iOS), OTA model update systems.

What is the CVSS score for CVE-2021-29606?

CVE-2021-29606 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

Edge ML inference (TFLite on IoT/mobile)Model serving pipelinesModel testing and conversion pipelinesMobile ML applications (Android/iOS)OTA model update systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.10.2, A.8.4
NIST AI RMF: GOVERN-6.2, MS-2.5
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB read on heap in the TFLite implementation of `Split_V`(https://github.com/tensorflow/tensorflow/blob/c59c37e7b2d563967da813fa50fe20b21f4da683/tensorflow/lite/kernels/split_v.cc#L99). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the `SizeOfDimension` function(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/kernel_util.h#L148-L150) will access data outside the bounds of the tensor shape array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization's edge ML pipeline crafts a TFLite model with a Split_V operation where axis_value is set to a value outside [0, NumDimensions(input)]. The model is injected via a compromised model registry, a malicious model marketplace upload, or a man-in-the-middle on an unencrypted OTA model update channel. When the vulnerable TFLite runtime loads and invokes the model for inference, SizeOfDimension accesses memory outside the tensor shape array bounds. Depending on heap layout, this leaks adjacent memory — potentially model weights, API keys, or session tokens stored in the same process — or triggers a crash used as part of a chained exploit for code execution on the inference device.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed