CVE-2021-29619: TensorFlow DoS — MEDIUM

CISO Take

This medium-severity local DoS in TensorFlow crashes the process when malformed arguments are passed to `SparseCountSparseOutput`. If your ML inference infrastructure exposes raw TensorFlow ops to untrusted inputs (e.g., via model-serving endpoints that accept user-supplied tensors), an attacker can crash your serving process. Patch to TF 2.5.0+ or the cherry-picked backports; if immediate patching isn't possible, validate all tensor inputs at the API boundary before passing to raw ops.

What is the risk?

Risk is low-to-medium in practice. Exploitability is trivial (low complexity, low privileges), but the attack vector is local — remote exploitation requires the attacker to already influence tensor arguments reaching raw ops, which is uncommon in typical model-serving architectures. The blast radius is limited to availability (process crash, no data exfiltration or code execution confirmed). Priority for patching should be elevated if TensorFlow serves public-facing inference endpoints that accept arbitrary tensor shapes or types.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
Validate all tensor inputs (shape, dtype, value ranges) at the API boundary before forwarding to any raw ops — never pass untrusted user input directly to tf.raw_ops.
Run TensorFlow inference services in isolated containers or separate processes so a crash cannot cascade.
Implement process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed serving processes.
Detection: Monitor for unexpected segfaults or SIGSEGV in TensorFlow serving logs; alert on abnormal process restarts.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to address AI risks

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-29619?

This medium-severity local DoS in TensorFlow crashes the process when malformed arguments are passed to `SparseCountSparseOutput`. If your ML inference infrastructure exposes raw TensorFlow ops to untrusted inputs (e.g., via model-serving endpoints that accept user-supplied tensors), an attacker can crash your serving process. Patch to TF 2.5.0+ or the cherry-picked backports; if immediate patching isn't possible, validate all tensor inputs at the API boundary before passing to raw ops.

Is CVE-2021-29619 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29619, increasing the risk of exploitation.

How to fix CVE-2021-29619?

1. Patch: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Validate all tensor inputs (shape, dtype, value ranges) at the API boundary before forwarding to any raw ops — never pass untrusted user input directly to tf.raw_ops. 3. Run TensorFlow inference services in isolated containers or separate processes so a crash cannot cascade. 4. Implement process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed serving processes. 5. Detection: Monitor for unexpected segfaults or SIGSEGV in TensorFlow serving logs; alert on abnormal process restarts.

What systems are affected by CVE-2021-29619?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, shared ML platforms.

What is the CVSS score for CVE-2021-29619?

CVE-2021-29619 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesshared ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments (e.g., discovered via fuzzing) to `tf.raw_ops.SparseCountSparseOutput` results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an ML inference API sends a crafted request with malformed sparse tensor arguments. If the serving backend calls `tf.raw_ops.SparseCountSparseOutput` without input validation, the process segfaults. In a Kubernetes deployment without proper liveness probes, the service becomes unavailable until manually restarted. In a shared multi-tenant ML platform, a low-privileged user could trigger this to deny service to other tenants using the same TensorFlow worker pool.