AI Threat Alert AI Threat Alert

CVE-2021-41200: TensorFlow: DoS crash in tf.summary file writer

MEDIUM PoC AVAILABLE
Published November 5, 2021
CISO Take

A local attacker or malicious insider with low privileges can crash any TensorFlow process by passing non-scalar arguments to tf.summary.create_file_writer, disrupting training jobs and MLOps pipelines. Patch to TensorFlow 2.7.0 (or backports 2.6.1 / 2.5.2 / 2.4.4) immediately if TensorBoard logging is exposed to untrusted input. Risk is limited to availability — no data exfiltration or code execution path exists.

Risk Assessment

Moderate operational risk for organizations running TensorFlow training pipelines at scale. CVSS 5.5 (local, low-privilege) understates real-world impact in shared GPU cluster environments where a single tenant crash can abort multi-hour or multi-day training runs costing thousands in compute. Not exploitable remotely and not in CISA KEV, but insider threat and compromised CI/CD pipeline scenarios are realistic vectors in ML-heavy organizations.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 15% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

4 steps

  1. Patch: Upgrade to TensorFlow 2.7.0+, or apply cherrypick backports for 2.6.1, 2.5.2, and 2.4.4.

  2. Workaround: Add input validation to enforce scalar tensors before passing to tf.summary.create_file_writer in any code path accepting external input.

  3. Detection: Monitor training job logs for unexpected CHECK-fail crashes and abnormal job terminations in TF training workloads.

  4. Isolation: Run untrusted training jobs in isolated environments (containers/VMs) to limit blast radius of intentional DoS.

Classification

DoS Framework Training Data AML.T0010.001 AML.T0029 AML.T0034

Compliance Impact

This CVE is relevant to:

ISO 42001
A.6.2.5 - AI system availability and resilience
NIST AI RMF
GOVERN 1.7 - Processes and procedures are in place for decommissioning and phase-out of AI systems MANAGE 2.2 - Mechanisms are in place to sustain risk management activities
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-41200?

A local attacker or malicious insider with low privileges can crash any TensorFlow process by passing non-scalar arguments to tf.summary.create_file_writer, disrupting training jobs and MLOps pipelines. Patch to TensorFlow 2.7.0 (or backports 2.6.1 / 2.5.2 / 2.4.4) immediately if TensorBoard logging is exposed to untrusted input. Risk is limited to availability — no data exfiltration or code execution path exists.

Is CVE-2021-41200 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41200, increasing the risk of exploitation.

How to fix CVE-2021-41200?

1. Patch: Upgrade to TensorFlow 2.7.0+, or apply cherrypick backports for 2.6.1, 2.5.2, and 2.4.4. 2. Workaround: Add input validation to enforce scalar tensors before passing to tf.summary.create_file_writer in any code path accepting external input. 3. Detection: Monitor training job logs for unexpected CHECK-fail crashes and abnormal job terminations in TF training workloads. 4. Isolation: Run untrusted training jobs in isolated environments (containers/VMs) to limit blast radius of intentional DoS.

What systems are affected by CVE-2021-41200?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model development environments, MLOps platforms.

What is the CVSS score for CVE-2021-41200?

CVE-2021-41200 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions if `tf.summary.create_file_writer` is called with non-scalar arguments code crashes due to a `CHECK`-fail. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

A malicious insider or attacker with access to a shared ML training platform (e.g., via a compromised ML engineer account or rogue training script submitted to a job queue) submits a training job that calls tf.summary.create_file_writer with a deliberately crafted non-scalar tensor. The resulting CHECK-fail terminates the TensorFlow process, aborting co-resident training jobs on the same worker node. On long-running foundation model training runs, this translates to significant compute waste and potential checkpoint loss. An adversary could repeat this to continually disrupt model development cycles.

Weaknesses (CWE)

CWE-617 Primary CWE-617

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 5, 2021
Last Modified
November 21, 2024
First Seen
November 5, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed