CVE-2021-29608 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any TensorFlow deployment below 2.5.0 (or unpatched 2.1.x–2.4.x) is vulnerable to heap out-of-bounds access via malformed ragged tensor inputs, enabling local privilege escalation to full system compromise. Patch to TF 2.5.0 or the respective cherrypick releases (2.1.4, 2.2.3, 2.3.3, 2.4.2) immediately. Prioritize ML training clusters and multi-tenant inference servers where low-privileged users can submit ops.

Risk Assessment

High risk for shared or multi-tenant ML infrastructure. CVSS 7.8 with local, low-complexity, low-privilege vector means any authenticated user on a shared training node or Jupyter environment can exploit this. DCHECK guards are compiled out in release builds, removing the only defensive layer. No active KEV listing reduces urgency for internet-exposed systems, but internal threat actors or compromised ML user accounts pose a credible path to host takeover.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.5.0 or backport releases 2.1.4/2.2.3/2.3.3/2.4.2.
Workaround: Restrict access to tf.raw_ops.RaggedTensorToTensor via op allowlisting if running custom serving infrastructure.
Network isolation: Ensure TF Serving endpoints are not directly reachable by untrusted users.
Detection: Audit for anomalous process spawning or privilege escalation events on ML training hosts; monitor for empty-tensor inputs passed to RaggedTensor ops in serving logs.
Inventory: Scan all ML environments (notebooks, CI/CD pipelines, serving containers) for vulnerable TF versions using package managers or SBOM tooling.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.7.4 - Third-party and external AI components risk management

NIST AI RMF

GOVERN-6.2 - Policies for third-party AI risk MANAGE-2.2 - Mechanisms for sustaining AI system integrity across lifecycle

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29608?

Any TensorFlow deployment below 2.5.0 (or unpatched 2.1.x–2.4.x) is vulnerable to heap out-of-bounds access via malformed ragged tensor inputs, enabling local privilege escalation to full system compromise. Patch to TF 2.5.0 or the respective cherrypick releases (2.1.4, 2.2.3, 2.3.3, 2.4.2) immediately. Prioritize ML training clusters and multi-tenant inference servers where low-privileged users can submit ops.

Is CVE-2021-29608 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29608, increasing the risk of exploitation.

How to fix CVE-2021-29608?

1. Patch: Upgrade to TensorFlow 2.5.0 or backport releases 2.1.4/2.2.3/2.3.3/2.4.2. 2. Workaround: Restrict access to tf.raw_ops.RaggedTensorToTensor via op allowlisting if running custom serving infrastructure. 3. Network isolation: Ensure TF Serving endpoints are not directly reachable by untrusted users. 4. Detection: Audit for anomalous process spawning or privilege escalation events on ML training hosts; monitor for empty-tensor inputs passed to RaggedTensor ops in serving logs. 5. Inventory: Scan all ML environments (notebooks, CI/CD pipelines, serving containers) for vulnerable TF versions using package managers or SBOM tooling.

What systems are affected by CVE-2021-29608?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, data preprocessing pipelines.

What is the CVSS score for CVE-2021-29608?

CVE-2021-29608 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don't prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privileged account on a shared ML training cluster submits a TensorFlow job containing a crafted call to tf.raw_ops.RaggedTensorToTensor with an intentionally empty input tensor. The missing validation in release builds skips the DCHECK guards, triggering undefined behavior and heap OOB access. On a vulnerable host, this translates to a controlled memory corruption primitive, enabling the attacker to overwrite adjacent heap structures and escalate to the privileges of the TensorFlow process—often a service account with access to training data, model artifacts, and cloud credentials stored in environment variables.