CVE-2021-41195 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by passing oversized segment IDs to tf.math.segment_* operations, triggering an integer overflow and process abort. Impact is limited to availability — no data exfiltration or code execution. Patch to TF 2.7.0 / 2.6.1 / 2.5.2 / 2.4.4; prioritize shared multi-tenant ML environments such as Jupyter hubs, Kubeflow, or MLflow servers where untrusted users can execute TensorFlow code.

Risk Assessment

Low-to-medium operational risk. CVSS 5.5 reflects a local attack vector requiring only low privileges, with impact confined to availability (A:H, C:N, I:N). Not in CISA KEV and no known active exploitation. Risk escalates significantly in multi-tenant ML training infrastructure where a single malicious or misconfigured job can terminate co-located workloads.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherry-picked patches available for older supported branches).
Audit workloads using tf.math.segment_* operations, especially those accepting user-controlled or external tensor inputs.
In multi-tenant environments, enforce process isolation between users and validate tensor shapes before passing to segment ops.
Monitor for repeated unexpected TensorFlow process crashes — patterns may indicate active probing.
Review container/namespace isolation in Kubeflow and similar platforms to limit blast radius of a crash.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

Clause 8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 1.2 - Policies, processes, procedures, and practices across the AI risk management lifecycle MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2021-41195?

A local attacker with low privileges can crash TensorFlow processes by passing oversized segment IDs to tf.math.segment_* operations, triggering an integer overflow and process abort. Impact is limited to availability — no data exfiltration or code execution. Patch to TF 2.7.0 / 2.6.1 / 2.5.2 / 2.4.4; prioritize shared multi-tenant ML environments such as Jupyter hubs, Kubeflow, or MLflow servers where untrusted users can execute TensorFlow code.

Is CVE-2021-41195 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41195, increasing the risk of exploitation.

How to fix CVE-2021-41195?

1. Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherry-picked patches available for older supported branches). 2. Audit workloads using tf.math.segment_* operations, especially those accepting user-controlled or external tensor inputs. 3. In multi-tenant environments, enforce process isolation between users and validate tensor shapes before passing to segment ops. 4. Monitor for repeated unexpected TensorFlow process crashes — patterns may indicate active probing. 5. Review container/namespace isolation in Kubeflow and similar platforms to limit blast radius of a crash.

What systems are affected by CVE-2021-41195?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, batch inference pipelines.

What is the CVSS score for CVE-2021-41195?

CVE-2021-41195 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_*` operations results in a `CHECK`-fail related abort (and denial of service) if a segment id in `segment_ids` is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using `AddDim`. However, if the number of elements in the tensor overflows an `int64_t` value, `AddDim` results in a `CHECK` failure which provokes a `std::abort`. Instead, code should use `AddDimWithStatus`. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared Jupyter notebook server or MLflow training environment writes a minimal Python snippet calling tf.math.segment_sum() with a segment_ids tensor containing a value large enough to overflow int64 during output shape computation. When executed, AddDim triggers a CHECK failure and std::abort, immediately killing the TensorFlow process. In a shared cluster, this terminates any co-located training jobs or inference servers sharing the process, achieving targeted disruption of AI pipeline availability with a single line of user code.