CVE-2021-29613: TensorFlow CTCLoss heap OOB read,

CISO Take

TensorFlow's CTCLoss operation fails to validate tensor inputs, allowing a low-privileged local attacker to read arbitrary heap memory or crash the ML runtime. Any TensorFlow deployment processing untrusted inputs through speech recognition, OCR, or sequence models is at risk — including inference APIs where external users submit data. Upgrade to TensorFlow 2.5.0 or apply the backport patches for 2.1.x–2.4.x immediately; no workaround exists short of patching.

What is the risk?

Effective risk is moderate-to-high for AI serving environments despite the 'local' attack vector designation. In containerized ML inference deployments (TF Serving, Kubeflow, SageMaker custom containers), the attacker surface is any caller who can submit tensor payloads — effectively remote in practice. CVSS 7.1 reflects confidentiality and availability impact: heap contents exposed via OOB read may contain model weights, intermediate activations, or co-tenant data in shared inference environments. Exploitation complexity is low once an attacker identifies a CTCLoss-using endpoint.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

What should I do?

6 steps

PATCH

Upgrade to TensorFlow 2.5.0 or cherry-pick commits 14607c07 and 4504a081 onto 2.1.4, 2.2.3, 2.3.3, or 2.4.2.
INVENTORY

Identify all pipelines using tf.raw_ops.CTCLoss or high-level wrappers (tf.nn.ctc_loss) — grep codebase and model definitions.
INPUT VALIDATION

Until patched, add schema validation on tensor shapes and dtypes before CTCLoss ops in inference paths.
ISOLATION

Run inference workers with minimal filesystem/network privileges; use seccomp/AppArmor profiles to contain heap read impact.
DETECT

Monitor for unexpected TF process crashes (SIGSEGV) in inference pods — may indicate exploitation attempts.
CONTAINER REBUILD

If using TF Docker images, rebuild or pull patched base images and redeploy.

How is it classified?

DoS Data Extraction Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security testing A.9.3 - Supplier relationships — AI supply chain

NIST AI RMF

GOVERN-1.2 - Policies and processes for AI risk management MANAGE-2.2 - Mechanisms to sustain and improve AI risk management

Frequently Asked Questions

What is CVE-2021-29613?

TensorFlow's CTCLoss operation fails to validate tensor inputs, allowing a low-privileged local attacker to read arbitrary heap memory or crash the ML runtime. Any TensorFlow deployment processing untrusted inputs through speech recognition, OCR, or sequence models is at risk — including inference APIs where external users submit data. Upgrade to TensorFlow 2.5.0 or apply the backport patches for 2.1.x–2.4.x immediately; no workaround exists short of patching.

Is CVE-2021-29613 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29613, increasing the risk of exploitation.

How to fix CVE-2021-29613?

1. PATCH: Upgrade to TensorFlow 2.5.0 or cherry-pick commits 14607c07 and 4504a081 onto 2.1.4, 2.2.3, 2.3.3, or 2.4.2. 2. INVENTORY: Identify all pipelines using tf.raw_ops.CTCLoss or high-level wrappers (tf.nn.ctc_loss) — grep codebase and model definitions. 3. INPUT VALIDATION: Until patched, add schema validation on tensor shapes and dtypes before CTCLoss ops in inference paths. 4. ISOLATION: Run inference workers with minimal filesystem/network privileges; use seccomp/AppArmor profiles to contain heap read impact. 5. DETECT: Monitor for unexpected TF process crashes (SIGSEGV) in inference pods — may indicate exploitation attempts. 6. CONTAINER REBUILD: If using TF Docker images, rebuild or pull patched base images and redeploy.

What systems are affected by CVE-2021-29613?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, speech and OCR inference services, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-29613?

CVE-2021-29613 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingspeech and OCR inference servicesmulti-tenant ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6, A.9.3

NIST AI RMF: GOVERN-1.2, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a speech recognition API built on TensorFlow crafts a malformed audio tensor with mismatched sequence lengths designed to violate CTCLoss's internal assumptions. By submitting this payload to the inference endpoint, the incomplete input validation triggers an OOB heap read. In a multi-tenant inference cluster, the read may surface memory from adjacent request buffers — potentially exposing other users' audio transcriptions, partial model weight values, or session metadata. Alternatively, a malicious dataset contributor in a collaborative training environment submits poisoned CTC training samples that crash the training worker, causing job disruption and potential data loss if checkpointing is infrequent.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary CWE-665 Improper Initialization

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.