AI Threat Alert

CVE-2021-29614: TensorFlow: OOB write in decode_raw crashes interpreter

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

TensorFlow's tf.io.decode_raw contains an out-of-bounds write vulnerability when using fixed_length with wide datatypes, enabling interpreter crashes and potentially arbitrary memory writes. Any environment running TensorFlow < 2.5.0 with raw data ingestion pipelines is at risk. Patch immediately to TensorFlow 2.5.0 or apply the available backports for 2.1–2.4 branches.

What is the risk?

High risk in shared ML environments. CVSS 7.8 (local) understates real-world exposure: ML training clusters, shared Jupyter/Kubeflow environments, and CI/CD ML pipelines routinely run user-supplied code with execution access. Low complexity and no user interaction required means exploitation needs only crafted input data or a malicious preprocessing script—no special tooling required.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Upgrade TensorFlow to 2.5.0 immediately, or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4.

  2. Audit all training and preprocessing code for tf.io.decode_raw calls with fixed_length and non-uint8 dtypes.

  3. Restrict execution privileges in shared ML environments—enforce workload isolation via containers or separate namespaces.

  4. Monitor TensorFlow worker processes for unexpected crashes as potential exploitation indicators.

  5. Pin and verify ML dependency versions in all pipelines using checksums or lock files.

How is it classified?

Code Execution DoS Framework Training Data AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and resources
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29614?

TensorFlow's tf.io.decode_raw contains an out-of-bounds write vulnerability when using fixed_length with wide datatypes, enabling interpreter crashes and potentially arbitrary memory writes. Any environment running TensorFlow < 2.5.0 with raw data ingestion pipelines is at risk. Patch immediately to TensorFlow 2.5.0 or apply the available backports for 2.1–2.4 branches.

Is CVE-2021-29614 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29614, increasing the risk of exploitation.

How to fix CVE-2021-29614?

1. Upgrade TensorFlow to 2.5.0 immediately, or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. Audit all training and preprocessing code for tf.io.decode_raw calls with fixed_length and non-uint8 dtypes. 3. Restrict execution privileges in shared ML environments—enforce workload isolation via containers or separate namespaces. 4. Monitor TensorFlow worker processes for unexpected crashes as potential exploitation indicators. 5. Pin and verify ML dependency versions in all pipelines using checksums or lock files.

What systems are affected by CVE-2021-29614?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, ML notebooks, model serving.

What is the CVSS score for CVE-2021-29614?

CVE-2021-29614 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata preprocessingML notebooksmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_length` and wider datatypes. The implementation of the padded version(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules. First, the code computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the `fixed_length` value to the size of the type argument. The `fixed_length` argument is also used to determine the size needed for the output tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79). This is followed by reencoding code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94). The erroneous code is the last line above: it is moving the `out_data` pointer by `fixed_length * sizeof(T)` bytes whereas it only copied at most `fixed_length` bytes from the input. This results in parts of the input not being decoded into the output. Furthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared ML training environment (e.g., a Jupyter notebook server or Kubeflow pipeline) injects a malicious data preprocessing step that calls tf.io.decode_raw with a crafted binary input, fixed_length set to a specific value, and a wide datatype such as float64. The pointer arithmetic bug causes memory writes 8x beyond the intended buffer boundary, corrupting adjacent process memory. In a crash-first scenario this denies service to co-tenants; in a targeted scenario, an attacker with knowledge of memory layout can leverage the periodic write gadget to achieve code execution within the TensorFlow worker process and potentially pivot within the ML infrastructure.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-665 Improper Initialization

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed