AI Threat Alert AI Threat Alert

CVE-2021-29613: TensorFlow: CTCLoss heap OOB read, info leak + crash

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

TensorFlow's CTCLoss operation fails to validate tensor inputs, allowing a low-privileged local attacker to read arbitrary heap memory or crash the ML runtime. Any TensorFlow deployment processing untrusted inputs through speech recognition, OCR, or sequence models is at risk — including inference APIs where external users submit data. Upgrade to TensorFlow 2.5.0 or apply the backport patches for 2.1.x–2.4.x immediately; no workaround exists short of patching.

Risk Assessment

Effective risk is moderate-to-high for AI serving environments despite the 'local' attack vector designation. In containerized ML inference deployments (TF Serving, Kubeflow, SageMaker custom containers), the attacker surface is any caller who can submit tensor payloads — effectively remote in practice. CVSS 7.1 reflects confidentiality and availability impact: heap contents exposed via OOB read may contain model weights, intermediate activations, or co-tenant data in shared inference environments. Exploitation complexity is low once an attacker identifies a CTCLoss-using endpoint.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0 or cherry-pick commits 14607c07 and 4504a081 onto 2.1.4, 2.2.3, 2.3.3, or 2.4.2.

  2. INVENTORY

    Identify all pipelines using tf.raw_ops.CTCLoss or high-level wrappers (tf.nn.ctc_loss) — grep codebase and model definitions.

  3. INPUT VALIDATION

    Until patched, add schema validation on tensor shapes and dtypes before CTCLoss ops in inference paths.

  4. ISOLATION

    Run inference workers with minimal filesystem/network privileges; use seccomp/AppArmor profiles to contain heap read impact.

  5. DETECT

    Monitor for unexpected TF process crashes (SIGSEGV) in inference pods — may indicate exploitation attempts.

  6. CONTAINER REBUILD

    If using TF Docker images, rebuild or pull patched base images and redeploy.

Classification

DoS Data Extraction Framework Inference AML.T0010.001 AML.T0029 AML.T0043 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security testing A.9.3 - Supplier relationships — AI supply chain
NIST AI RMF
GOVERN-1.2 - Policies and processes for AI risk management MANAGE-2.2 - Mechanisms to sustain and improve AI risk management

Frequently Asked Questions

What is CVE-2021-29613?

TensorFlow's CTCLoss operation fails to validate tensor inputs, allowing a low-privileged local attacker to read arbitrary heap memory or crash the ML runtime. Any TensorFlow deployment processing untrusted inputs through speech recognition, OCR, or sequence models is at risk — including inference APIs where external users submit data. Upgrade to TensorFlow 2.5.0 or apply the backport patches for 2.1.x–2.4.x immediately; no workaround exists short of patching.

Is CVE-2021-29613 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29613, increasing the risk of exploitation.

How to fix CVE-2021-29613?

1. PATCH: Upgrade to TensorFlow 2.5.0 or cherry-pick commits 14607c07 and 4504a081 onto 2.1.4, 2.2.3, 2.3.3, or 2.4.2. 2. INVENTORY: Identify all pipelines using tf.raw_ops.CTCLoss or high-level wrappers (tf.nn.ctc_loss) — grep codebase and model definitions. 3. INPUT VALIDATION: Until patched, add schema validation on tensor shapes and dtypes before CTCLoss ops in inference paths. 4. ISOLATION: Run inference workers with minimal filesystem/network privileges; use seccomp/AppArmor profiles to contain heap read impact. 5. DETECT: Monitor for unexpected TF process crashes (SIGSEGV) in inference pods — may indicate exploitation attempts. 6. CONTAINER REBUILD: If using TF Docker images, rebuild or pull patched base images and redeploy.

What systems are affected by CVE-2021-29613?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, speech and OCR inference services, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-29613?

CVE-2021-29613 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a speech recognition API built on TensorFlow crafts a malformed audio tensor with mismatched sequence lengths designed to violate CTCLoss's internal assumptions. By submitting this payload to the inference endpoint, the incomplete input validation triggers an OOB heap read. In a multi-tenant inference cluster, the read may surface memory from adjacent request buffers — potentially exposing other users' audio transcriptions, partial model weight values, or session metadata. Alternatively, a malicious dataset contributor in a collaborative training environment submits poisoned CTC training samples that crash the training worker, causing job disruption and potential data loss if checkpointing is infrequent.

Weaknesses (CWE)

CWE-125 Primary CWE-665

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed