CVE-2021-41207 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash any TensorFlow process by supplying a malformed tensor to the ParallelConcat operation, causing a divide-by-zero. Patch to TensorFlow 2.4.4, 2.5.2, 2.6.1, or 2.7.0+. Risk is limited to availability—no data exfiltration or code execution—but unpatched model-serving infrastructure running shared workloads is the priority target.

Risk Assessment

Low operational risk in most environments. CVSS 5.5 Medium with local-only attack vector and EPSS 0.00017 signal negligible real-world exploitation interest. However, in multi-tenant ML platforms or model-serving clusters where users can submit arbitrary computation graphs, the blast radius expands: a single crafted request can crash the serving process and cause service outage. Not in CISA KEV and no known public exploits.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow	pip	>= 2.6.0, < 2.6.1	`2.6.1`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow-cpu	pip	>= 0, < 2.4.4	`2.4.4`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow-gpu	pip	>= 0, < 2.4.4	`2.4.4`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

4 steps

Patch: upgrade tensorflow, tensorflow-cpu, or tensorflow-gpu to >= 2.4.4 (for 2.4.x), >= 2.5.2 (for 2.5.x), >= 2.6.1 (for 2.6.x), or >= 2.7.0.
Workaround: add input shape validation before any ParallelConcat call; reject zero-dimension tensors.
Serving hardening: run TF serving workers as separate processes with crash recovery; isolate per-tenant inference processes so one crash does not affect other users.
Detection: alert on unexpected TF process terminations (SIGFPE / SIGABRT) in your ML infrastructure monitoring.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality Management System Article 9 - Risk Management System

ISO 42001

6.1.2 - AI Risk Assessment 8.4 - AI System Lifecycle — Operation and Monitoring

NIST AI RMF

GOVERN 1.7 - Processes for Identifying and Managing AI Risks MANAGE 2.2 - Manage AI Risks from Third-Party Entities

Frequently Asked Questions

What is CVE-2021-41207?

A local attacker with low privileges can crash any TensorFlow process by supplying a malformed tensor to the ParallelConcat operation, causing a divide-by-zero. Patch to TensorFlow 2.4.4, 2.5.2, 2.6.1, or 2.7.0+. Risk is limited to availability—no data exfiltration or code execution—but unpatched model-serving infrastructure running shared workloads is the priority target.

Is CVE-2021-41207 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41207, increasing the risk of exploitation.

How to fix CVE-2021-41207?

1. Patch: upgrade tensorflow, tensorflow-cpu, or tensorflow-gpu to >= 2.4.4 (for 2.4.x), >= 2.5.2 (for 2.5.x), >= 2.6.1 (for 2.6.x), or >= 2.7.0. 2. Workaround: add input shape validation before any ParallelConcat call; reject zero-dimension tensors. 3. Serving hardening: run TF serving workers as separate processes with crash recovery; isolate per-tenant inference processes so one crash does not affect other users. 4. Detection: alert on unexpected TF process terminations (SIGFPE / SIGABRT) in your ML infrastructure monitoring.

What systems are affected by CVE-2021-41207?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, batch inference.

What is the CVSS score for CVE-2021-41207?

CVE-2021-41207 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `ParallelConcat` misses some input validation and can produce a division by 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared ML platform—e.g., a data scientist on a multi-tenant Jupyter environment or a user submitting jobs to a batch training cluster—constructs a TensorFlow graph containing a ParallelConcat node whose input dimensions trigger a division-by-zero in the kernel. Submitting this graph causes the TF runtime to crash, taking down the shared serving process or training job scheduler. In a model-serving API, a crafted inference request containing the malformed tensor achieves the same result, causing an outage without any authentication beyond basic API access.