AI Threat Alert
CVE-2021-29617: TensorFlow: DoS via CHECK-fail in strings.substr
GHSA-mmq6-q8r3-48fm MEDIUM PoC AVAILABLEA local attacker with low-privilege access can crash TensorFlow processes by passing invalid arguments to tf.strings.substr, triggering a CHECK-fail denial of service. The local-only attack vector significantly limits blast radius — remote exploitation requires a separate vulnerability to achieve local access first. Patch to TensorFlow 2.1.4+, 2.2.3+, 2.3.3+, 2.4.2+, or 2.5.0+ to remediate.
What is the risk?
Low-to-medium operational risk. CVSS 5.5 with a local attack vector and low privileges keeps real-world exploitation unlikely (EPSS: 0.0005, not in CISA KEV). Impact is availability-only — no data exfiltration or integrity compromise. Risk elevates in multi-tenant ML environments (shared GPU clusters, hosted Jupyter notebooks) where local access is more easily achievable by untrusted users.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
| TensorFlow | pip | < 2.1.4 | 2.1.4 |
| TensorFlow | pip | < 2.1.4 | 2.1.4 |
| TensorFlow | pip | < 2.1.4 | 2.1.4 |
How severe is it?
What is the attack surface?
What should I do?
4 steps-
Upgrade to TensorFlow ≥2.1.4, ≥2.2.3, ≥2.3.3, ≥2.4.2, or ≥2.5.0 depending on the branch in use.
-
If immediate patching is blocked, validate and sanitize arguments passed to tf.strings.substr before invocation — specifically enforce valid position and length bounds.
-
Restrict local system access to TensorFlow processes via OS-level controls and least-privilege principles.
-
Monitor for abnormal TensorFlow process crashes as a potential indicator of exploitation attempts in shared environments.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2021-29617?
A local attacker with low-privilege access can crash TensorFlow processes by passing invalid arguments to tf.strings.substr, triggering a CHECK-fail denial of service. The local-only attack vector significantly limits blast radius — remote exploitation requires a separate vulnerability to achieve local access first. Patch to TensorFlow 2.1.4+, 2.2.3+, 2.3.3+, 2.4.2+, or 2.5.0+ to remediate.
Is CVE-2021-29617 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2021-29617, increasing the risk of exploitation.
How to fix CVE-2021-29617?
1. Upgrade to TensorFlow ≥2.1.4, ≥2.2.3, ≥2.3.3, ≥2.4.2, or ≥2.5.0 depending on the branch in use. 2. If immediate patching is blocked, validate and sanitize arguments passed to tf.strings.substr before invocation — specifically enforce valid position and length bounds. 3. Restrict local system access to TensorFlow processes via OS-level controls and least-privilege principles. 4. Monitor for abnormal TensorFlow process crashes as a potential indicator of exploitation attempts in shared environments.
What systems are affected by CVE-2021-29617?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing.
What is the CVSS score for CVE-2021-29617?
CVE-2021-29617 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.23%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0029 Denial of AI Service Compliance Controls Affected
What are the technical details?
Original Advisory
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Exploitation Scenario
An adversary with low-privilege local access to a shared ML training server crafts a Python script calling tf.strings.substr with invalid arguments (e.g., out-of-bounds position or negative length). The internal CHECK assertion fails, immediately crashing the TensorFlow process. In a shared Jupyter notebook environment or multi-tenant ML platform, this disrupts concurrent training jobs and inference services belonging to other users — potentially causing costly training restarts or SLA violations without any permanent damage to data or models.
Weaknesses (CWE)
CWE-755 Improper Handling of Exceptional Conditions
Primary
CWE-755 Improper Handling of Exceptional Conditions CWE-755 — Improper Handling of Exceptional Conditions: The product does not handle or incorrectly handles an exceptional condition.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
- github.com/advisories/GHSA-mmq6-q8r3-48fm
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-545.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-743.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-254.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-29617
- github.com/tensorflow/issues/46900 Broken Link
- github.com/tensorflow/issues/46974 Broken Link
- github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd7658677c09f Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fm Exploit Patch 3rd Party
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow