AI Threat Alert

CVE-2021-41202: TensorFlow tf.range: integer overflow in kernel causes DoS

MEDIUM PoC AVAILABLE
Published November 5, 2021
CISO Take

A numeric type coercion bug in TensorFlow's tf.range kernel allows any local user to trigger an integer overflow, crashing the TF process. Impact is availability-only — no data exfiltration or code execution risk. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4; unpatched training or inference nodes in shared environments are the primary exposure surface.

What is the risk?

MEDIUM. CVSS 5.5 reflects realistic impact well. Exploitability is trivial — crafting a tf.range call that triggers the overflow requires minimal TF knowledge. However, the local attack vector constrains exposure: an adversary needs existing access to the compute environment (notebook server, training job runner, or inference host). No privilege escalation, no data exfiltration, and no lateral movement path — this is a targeted availability attack on ML workloads. Risk elevates in multi-tenant ML platforms (JupyterHub, SageMaker Studio, Kubeflow notebooks) where untrusted users share the same TF runtime.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — all contain the fix (commits 1b0e0ec and 6d94002).

  2. DETECT

    Grep model code and preprocessing pipelines for tf.range calls with dynamic int64 parameters sourced from user input or external data.

  3. HARDEN

    In multi-tenant environments, sandbox notebook servers so a crashing kernel does not impact other users' workloads.

  4. MONITOR

    Alert on repeated TF process crashes or OOM signals in training/serving logs — these may indicate exploitation attempts.

  5. VERIFY

    If running containerized training, confirm base image TF version against patched releases.

How is it classified?

DoS Framework Training Data AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity of high-risk AI systems
ISO 42001
A.10.2 - AI system robustness and availability
NIST AI RMF
GOVERN 1.4 - Organizational teams are committed to governance and risk management processes MANAGE 2.2 - Mechanisms to sustain AI risk management over the AI lifecycle

Frequently Asked Questions

What is CVE-2021-41202?

A numeric type coercion bug in TensorFlow's tf.range kernel allows any local user to trigger an integer overflow, crashing the TF process. Impact is availability-only — no data exfiltration or code execution risk. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4; unpatched training or inference nodes in shared environments are the primary exposure surface.

Is CVE-2021-41202 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41202, increasing the risk of exploitation.

How to fix CVE-2021-41202?

1. PATCH: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — all contain the fix (commits 1b0e0ec and 6d94002). 2. DETECT: Grep model code and preprocessing pipelines for tf.range calls with dynamic int64 parameters sourced from user input or external data. 3. HARDEN: In multi-tenant environments, sandbox notebook servers so a crashing kernel does not impact other users' workloads. 4. MONITOR: Alert on repeated TF process crashes or OOM signals in training/serving logs — these may indicate exploitation attempts. 5. VERIFY: If running containerized training, confirm base image TF version against patched releases.

What systems are affected by CVE-2021-41202?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing pipelines, notebook environments, ML orchestration platforms.

What is the CVSS score for CVE-2021-41202?

CVE-2021-41202 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingdata preprocessing pipelinesnotebook environmentsML orchestration platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.10.2
NIST AI RMF: GOVERN 1.4, MANAGE 2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions while calculating the size of the output within the `tf.range` kernel, there is a conditional statement of type `int64 = condition ? int64 : double`. Due to C++ implicit conversion rules, both branches of the condition will be cast to `double` and the result would be truncated before the assignment. This result in overflows. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., data scientist on a multi-tenant JupyterHub) crafts a notebook or script that calls tf.range with values carefully chosen to trigger the int64→double→truncation overflow. Submitting this as a training job or preprocessing step causes the TF worker process to crash. In a Kubeflow Pipelines environment, repeated submission of a poisoned pipeline step that crashes at the tf.range kernel can stall an entire training queue, denying GPU resources to legitimate workloads. The attack requires zero special privileges beyond the ability to submit TF workloads.

Weaknesses (CWE)

CWE-681 Incorrect Conversion between Numeric Types

CWE-681 — Incorrect Conversion between Numeric Types: When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

  • [Implementation] Avoid making conversion between numeric types. Always check for the allowed ranges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 5, 2021
Last Modified
November 21, 2024
First Seen
November 5, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed