CVE-2021-29614 — HIGH (CVSS 7.8) AI Security Vulnerability

Q: Is CVE-2021-29614 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29614, increasing the risk of exploitation.

Q: How to fix CVE-2021-29614?

1. Upgrade TensorFlow to 2.5.0 immediately, or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. Audit all training and preprocessing code for tf.io.decode_raw calls with fixed_length and non-uint8 dtypes. 3. Restrict execution privileges in shared ML environments—enforce workload isolation via containers or separate namespaces. 4. Monitor TensorFlow worker processes for unexpected crashes as potential exploitation indicators. 5. Pin and verify ML dependency versions in all pipelines using checksums or lock files.

Q: What systems are affected by CVE-2021-29614?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, ML notebooks, model serving.

Q: What is the CVSS score for CVE-2021-29614?

CVE-2021-29614 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

CISO Take

TensorFlow's tf.io.decode_raw contains an out-of-bounds write vulnerability when using fixed_length with wide datatypes, enabling interpreter crashes and potentially arbitrary memory writes. Any environment running TensorFlow < 2.5.0 with raw data ingestion pipelines is at risk. Patch immediately to TensorFlow 2.5.0 or apply the available backports for 2.1–2.4 branches.

Risk Assessment

High risk in shared ML environments. CVSS 7.8 (local) understates real-world exposure: ML training clusters, shared Jupyter/Kubeflow environments, and CI/CD ML pipelines routinely run user-supplied code with execution access. Low complexity and no user interaction required means exploitation needs only crafted input data or a malicious preprocessing script—no special tooling required.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.5.0 immediately, or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4.
Audit all training and preprocessing code for tf.io.decode_raw calls with fixed_length and non-uint8 dtypes.
Restrict execution privileges in shared ML environments—enforce workload isolation via containers or separate namespaces.
Monitor TensorFlow worker processes for unexpected crashes as potential exploitation indicators.
Pin and verify ML dependency versions in all pipelines using checksums or lock files.

Classification

Code Execution DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Security of AI system

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and resources

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29614?

TensorFlow's tf.io.decode_raw contains an out-of-bounds write vulnerability when using fixed_length with wide datatypes, enabling interpreter crashes and potentially arbitrary memory writes. Any environment running TensorFlow < 2.5.0 with raw data ingestion pipelines is at risk. Patch immediately to TensorFlow 2.5.0 or apply the available backports for 2.1–2.4 branches.

Is CVE-2021-29614 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29614, increasing the risk of exploitation.

How to fix CVE-2021-29614?

1. Upgrade TensorFlow to 2.5.0 immediately, or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. Audit all training and preprocessing code for tf.io.decode_raw calls with fixed_length and non-uint8 dtypes. 3. Restrict execution privileges in shared ML environments—enforce workload isolation via containers or separate namespaces. 4. Monitor TensorFlow worker processes for unexpected crashes as potential exploitation indicators. 5. Pin and verify ML dependency versions in all pipelines using checksums or lock files.

What systems are affected by CVE-2021-29614?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, ML notebooks, model serving.

What is the CVSS score for CVE-2021-29614?

CVE-2021-29614 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_length` and wider datatypes. The implementation of the padded version(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules. First, the code computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the `fixed_length` value to the size of the type argument. The `fixed_length` argument is also used to determine the size needed for the output tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79). This is followed by reencoding code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94). The erroneous code is the last line above: it is moving the `out_data` pointer by `fixed_length * sizeof(T)` bytes whereas it only copied at most `fixed_length` bytes from the input. This results in parts of the input not being decoded into the output. Furthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared ML training environment (e.g., a Jupyter notebook server or Kubeflow pipeline) injects a malicious data preprocessing step that calls tf.io.decode_raw with a crafted binary input, fixed_length set to a specific value, and a wide datatype such as float64. The pointer arithmetic bug causes memory writes 8x beyond the intended buffer boundary, corrupting adjacent process memory. In a crash-first scenario this denies service to co-tenants; in a targeted scenario, an attacker with knowledge of memory layout can leverage the periodic write gadget to achieve code execution within the TensorFlow worker process and potentially pivot within the ML infrastructure.