CVE-2021-29619 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This medium-severity local DoS in TensorFlow crashes the process when malformed arguments are passed to `SparseCountSparseOutput`. If your ML inference infrastructure exposes raw TensorFlow ops to untrusted inputs (e.g., via model-serving endpoints that accept user-supplied tensors), an attacker can crash your serving process. Patch to TF 2.5.0+ or the cherry-picked backports; if immediate patching isn't possible, validate all tensor inputs at the API boundary before passing to raw ops.

Risk Assessment

Risk is low-to-medium in practice. Exploitability is trivial (low complexity, low privileges), but the attack vector is local — remote exploitation requires the attacker to already influence tensor arguments reaching raw ops, which is uncommon in typical model-serving architectures. The blast radius is limited to availability (process crash, no data exfiltration or code execution confirmed). Priority for patching should be elevated if TensorFlow serves public-facing inference endpoints that accept arbitrary tensor shapes or types.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
Validate all tensor inputs (shape, dtype, value ranges) at the API boundary before forwarding to any raw ops — never pass untrusted user input directly to tf.raw_ops.
Run TensorFlow inference services in isolated containers or separate processes so a crash cannot cascade.
Implement process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed serving processes.
Detection: Monitor for unexpected segfaults or SIGSEGV in TensorFlow serving logs; alert on abnormal process restarts.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to address AI risks

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-29619?

This medium-severity local DoS in TensorFlow crashes the process when malformed arguments are passed to `SparseCountSparseOutput`. If your ML inference infrastructure exposes raw TensorFlow ops to untrusted inputs (e.g., via model-serving endpoints that accept user-supplied tensors), an attacker can crash your serving process. Patch to TF 2.5.0+ or the cherry-picked backports; if immediate patching isn't possible, validate all tensor inputs at the API boundary before passing to raw ops.

Is CVE-2021-29619 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29619, increasing the risk of exploitation.

How to fix CVE-2021-29619?

1. Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Validate all tensor inputs (shape, dtype, value ranges) at the API boundary before forwarding to any raw ops — never pass untrusted user input directly to tf.raw_ops. 3. Run TensorFlow inference services in isolated containers or separate processes so a crash cannot cascade. 4. Implement process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed serving processes. 5. Detection: Monitor for unexpected segfaults or SIGSEGV in TensorFlow serving logs; alert on abnormal process restarts.

What systems are affected by CVE-2021-29619?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, shared ML platforms.

What is the CVSS score for CVE-2021-29619?

CVE-2021-29619 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments (e.g., discovered via fuzzing) to `tf.raw_ops.SparseCountSparseOutput` results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an ML inference API sends a crafted request with malformed sparse tensor arguments. If the serving backend calls `tf.raw_ops.SparseCountSparseOutput` without input validation, the process segfaults. In a Kubernetes deployment without proper liveness probes, the service becomes unavailable until manually restarted. In a shared multi-tenant ML platform, a low-privileged user could trigger this to deny service to other tenants using the same TensorFlow worker pool.