CVE-2021-41202 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A numeric type coercion bug in TensorFlow's tf.range kernel allows any local user to trigger an integer overflow, crashing the TF process. Impact is availability-only — no data exfiltration or code execution risk. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4; unpatched training or inference nodes in shared environments are the primary exposure surface.

Risk Assessment

MEDIUM. CVSS 5.5 reflects realistic impact well. Exploitability is trivial — crafting a tf.range call that triggers the overflow requires minimal TF knowledge. However, the local attack vector constrains exposure: an adversary needs existing access to the compute environment (notebook server, training job runner, or inference host). No privilege escalation, no data exfiltration, and no lateral movement path — this is a targeted availability attack on ML workloads. Risk elevates in multi-tenant ML platforms (JupyterHub, SageMaker Studio, Kubeflow notebooks) where untrusted users share the same TF runtime.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — all contain the fix (commits 1b0e0ec and 6d94002).
DETECT

Grep model code and preprocessing pipelines for tf.range calls with dynamic int64 parameters sourced from user input or external data.
HARDEN

In multi-tenant environments, sandbox notebook servers so a crashing kernel does not impact other users' workloads.
MONITOR

Alert on repeated TF process crashes or OOM signals in training/serving logs — these may indicate exploitation attempts.
VERIFY

If running containerized training, confirm base image TF version against patched releases.

Classification

DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.10.2 - AI system robustness and availability

NIST AI RMF

GOVERN 1.4 - Organizational teams are committed to governance and risk management processes MANAGE 2.2 - Mechanisms to sustain AI risk management over the AI lifecycle

Frequently Asked Questions

What is CVE-2021-41202?

A numeric type coercion bug in TensorFlow's tf.range kernel allows any local user to trigger an integer overflow, crashing the TF process. Impact is availability-only — no data exfiltration or code execution risk. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4; unpatched training or inference nodes in shared environments are the primary exposure surface.

Is CVE-2021-41202 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41202, increasing the risk of exploitation.

How to fix CVE-2021-41202?

1. PATCH: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — all contain the fix (commits 1b0e0ec and 6d94002). 2. DETECT: Grep model code and preprocessing pipelines for tf.range calls with dynamic int64 parameters sourced from user input or external data. 3. HARDEN: In multi-tenant environments, sandbox notebook servers so a crashing kernel does not impact other users' workloads. 4. MONITOR: Alert on repeated TF process crashes or OOM signals in training/serving logs — these may indicate exploitation attempts. 5. VERIFY: If running containerized training, confirm base image TF version against patched releases.

What systems are affected by CVE-2021-41202?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing pipelines, notebook environments, ML orchestration platforms.

What is the CVSS score for CVE-2021-41202?

CVE-2021-41202 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions while calculating the size of the output within the `tf.range` kernel, there is a conditional statement of type `int64 = condition ? int64 : double`. Due to C++ implicit conversion rules, both branches of the condition will be cast to `double` and the result would be truncated before the assignment. This result in overflows. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., data scientist on a multi-tenant JupyterHub) crafts a notebook or script that calls tf.range with values carefully chosen to trigger the int64→double→truncation overflow. Submitting this as a training job or preprocessing step causes the TF worker process to crash. In a Kubeflow Pipelines environment, repeated submission of a poisoned pipeline step that crashes at the tf.range kernel can stall an entire training queue, denying GPU resources to legitimate workloads. The attack requires zero special privileges beyond the ability to submit TF workloads.