AI Threat Alert

CVE-2021-29616: TensorFlow: null ptr deref in graph optimizer

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Upgrade TensorFlow to 2.5.0 or the patched backports (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately. This null pointer dereference in the arithmetic optimizer crashes training jobs and is exploitable for code execution in shared ML compute environments. Shared Jupyter servers, Kubeflow pipelines, and multi-tenant ML platforms are the primary risk surface.

What is the risk?

CVSS 7.8 High with local attack vector and low privilege requirement. While not remotely exploitable by default, shared ML training environments — cloud notebooks, ML platforms, containerized training clusters — are meaningfully exposed to malicious insiders or compromised accounts. Low complexity means exploitation is reliable once local access exists. The Grappler arithmetic optimizer runs on all TensorFlow graph compilations, broadening the trigger surface beyond isolated scenarios.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 11% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4.

  2. Workaround (if immediate upgrade is blocked): disable the arithmetic optimizer via tf.config.optimizer.set_experimental_options({'arithmetic_optimization': False}).

  3. Isolate: Run TensorFlow jobs in isolated containers or VMs to contain blast radius if triggered.

  4. Detect: Monitor for unexpected TensorFlow process crashes or segfaults during graph compilation phases.

  5. Inventory: Enumerate all TensorFlow versions across environments using SBOM tooling — this library appears in many transitive dependencies.

How is it classified?

Code Execution DoS Framework Inference AML.T0010.001 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security and resilience
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to address AI risks
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29616?

Upgrade TensorFlow to 2.5.0 or the patched backports (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately. This null pointer dereference in the arithmetic optimizer crashes training jobs and is exploitable for code execution in shared ML compute environments. Shared Jupyter servers, Kubeflow pipelines, and multi-tenant ML platforms are the primary risk surface.

Is CVE-2021-29616 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29616, increasing the risk of exploitation.

How to fix CVE-2021-29616?

1. Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Workaround (if immediate upgrade is blocked): disable the arithmetic optimizer via tf.config.optimizer.set_experimental_options({'arithmetic_optimization': False}). 3. Isolate: Run TensorFlow jobs in isolated containers or VMs to contain blast radius if triggered. 4. Detect: Monitor for unexpected TensorFlow process crashes or segfaults during graph compilation phases. 5. Inventory: Enumerate all TensorFlow versions across environments using SBOM tooling — this library appears in many transitive dependencies.

What systems are affected by CVE-2021-29616?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML platform infrastructure, Jupyter/notebook environments.

What is the CVSS score for CVE-2021-29616?

CVE-2021-29616 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML platform infrastructureJupyter/notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The implementation of TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (Jupyter notebook server, Kubeflow, SageMaker multi-user studio) crafts a TensorFlow computational graph containing nodes with zero inputs and submits it for execution. When Grappler's TrySimplify processes the graph, it dereferences a null pointer, triggering a segfault. In environments where TensorFlow runs with elevated privileges — common in training clusters requiring GPU/hardware access — this crash can be leveraged for code execution via memory exploitation techniques or weaponized for targeted denial-of-service against competing training workloads in shared infrastructure.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed