CVE-2021-41206: TensorFlow missing shape validation

CISO Take

Multiple TensorFlow operations lack tensor shape validation, enabling heap memory reads/writes or crashes by any user who can submit workloads. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4—especially in multi-tenant training environments or public-facing model serving. Local access requirement limits internet exposure, but shared ML platforms (Jupyter, Kubeflow, SageMaker) elevate this to a lateral movement risk within your AI infrastructure.

What is the risk?

CVSS 7.8 (High) with local attack vector reduces internet-facing exposure, but in ML platform contexts—multi-user Jupyter environments, cloud ML workspaces, or shared training clusters—'local' translates to any authenticated user. Low attack complexity and low privilege requirements mean any data scientist or developer with notebook access could trigger heap corruption. The vulnerability spans multiple undisclosed ops, implying a broad attack surface. No active exploitation reported and not in CISA KEV, but the potential for heap R/W makes this more than a stability issue.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Upgrade to TF 2.7.0, or apply cherry-picked commits to 2.6.1, 2.5.2, or 2.4.4 per the GitHub advisory.
Inventory: Enumerate all systems running TensorFlow across training infra, serving endpoints, notebooks, and CI/CD pipelines.
Isolation: Restrict job submission access to TF endpoints until patched; enforce least-privilege on who can run TF workloads.
Detection: Monitor TF process logs for unexpected segfaults or CHECK-fail messages as potential exploitation indicators.
Rebuild: Update all Docker/container images containing TF to patched versions and redeploy.

How is it classified?

Code Execution Framework AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system for high-risk AI

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.4 - Residual risks and organizational risk tolerance

Frequently Asked Questions

What is CVE-2021-41206?

Multiple TensorFlow operations lack tensor shape validation, enabling heap memory reads/writes or crashes by any user who can submit workloads. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4—especially in multi-tenant training environments or public-facing model serving. Local access requirement limits internet exposure, but shared ML platforms (Jupyter, Kubeflow, SageMaker) elevate this to a lateral movement risk within your AI infrastructure.

Is CVE-2021-41206 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41206, increasing the risk of exploitation.

How to fix CVE-2021-41206?

1. Patch: Upgrade to TF 2.7.0, or apply cherry-picked commits to 2.6.1, 2.5.2, or 2.4.4 per the GitHub advisory. 2. Inventory: Enumerate all systems running TensorFlow across training infra, serving endpoints, notebooks, and CI/CD pipelines. 3. Isolation: Restrict job submission access to TF endpoints until patched; enforce least-privilege on who can run TF workloads. 4. Detection: Monitor TF process logs for unexpected segfaults or CHECK-fail messages as potential exploitation indicators. 5. Rebuild: Update all Docker/container images containing TF to patched versions and redeploy.

What systems are affected by CVE-2021-41206?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML platforms, ML workstations, containerized ML workloads.

What is the CVSS score for CVE-2021-41206?

CVE-2021-41206 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML platformsML workstationscontainerized ML workloads

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: 8.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.4

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or `CHECK`-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. We have discovered these issues internally via tooling while working on improving/testing GPU op determinism. As such, we don't have reproducers and there will be multiple fixes for these issues. These fixes will be included in TensorFlow 2.7.0. We will also cherrypick these commits on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

A malicious insider or attacker with compromised data scientist credentials on a shared ML platform submits a training job or inference request containing tensors with deliberately malformed shapes targeting one of the vulnerable ops. The absent shape validation triggers a heap write primitive that the attacker can exploit for memory disclosure—leaking model weights, API keys, or credentials stored in the process heap—or to achieve arbitrary code execution within the TF worker process. In a Kubernetes-based ML pipeline, this becomes a container escape vector with potential cluster-wide lateral movement.

Weaknesses (CWE)

CWE-354 Improper Validation of Integrity Check Value

CWE-354 — Improper Validation of Integrity Check Value: The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

[Implementation] Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.

Source: MITRE CWE corpus.