AI Threat Alert AI Threat Alert

CVE-2021-41208: TensorFlow: heap R/W + DoS in boosted trees APIs

HIGH PoC AVAILABLE
Published November 5, 2021
CISO Take

TensorFlow's unmaintained boosted trees API contains critical memory safety flaws — null pointer dereferences, uninitialized pointer access, and heap read/write — exploitable by a low-privileged local attacker. If your ML pipelines or training infrastructure use TF boosted trees APIs (GradientBoostedDecisionTreeClassifier, etc.), patch immediately to TF 2.7.0/2.6.1/2.5.2/2.4.4 and migrate away from these deprecated APIs entirely. The heap read/write primitive is particularly dangerous in shared GPU clusters or multi-tenant ML platforms.

Risk Assessment

CVSS 7.8 High with local attack vector and low privilege/complexity requirements. The heap read/write capability elevates this beyond a simple DoS — in shared ML training environments (Jupyter hubs, Kubeflow clusters, SageMaker multi-tenant setups), a compromised or malicious data scientist could leverage this to escalate privileges or exfiltrate model artifacts from co-located workloads. Exposure is limited to organizations still using the deprecated boosted trees API, which reduces blast radius significantly. The 2021 vintage and absence from CISA KEV suggests no known active exploitation.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately.

  2. Audit: grep codebase and notebooks for BoostedTrees* API calls and tf.estimator.BoostedTrees*.

  3. Migrate: Replace boosted trees usage with XGBoost or sklearn GradientBoostingClassifier — these are actively maintained and functionally equivalent.

  4. Isolate: In shared ML platforms, enforce namespace/container isolation between tenants to limit lateral movement from heap exploitation.

  5. Detect: Monitor for TF crashes (SIGABRT/SIGSEGV) in training logs, which may indicate exploitation attempts.

  6. Version pin: If immediate patching is blocked, restrict boosted trees API access via OPA policies or custom TF op allowlists in training infrastructure.

Classification

DoS Code Execution Framework Training Data AML.T0010.001 AML.T0025 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - AI risk management process A.8.4 - AI system lifecycle
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk management MANAGE-2.4 - Residual risks and impacts

Frequently Asked Questions

What is CVE-2021-41208?

TensorFlow's unmaintained boosted trees API contains critical memory safety flaws — null pointer dereferences, uninitialized pointer access, and heap read/write — exploitable by a low-privileged local attacker. If your ML pipelines or training infrastructure use TF boosted trees APIs (GradientBoostedDecisionTreeClassifier, etc.), patch immediately to TF 2.7.0/2.6.1/2.5.2/2.4.4 and migrate away from these deprecated APIs entirely. The heap read/write primitive is particularly dangerous in shared GPU clusters or multi-tenant ML platforms.

Is CVE-2021-41208 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41208, increasing the risk of exploitation.

How to fix CVE-2021-41208?

1. Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately. 2. Audit: grep codebase and notebooks for BoostedTrees* API calls and tf.estimator.BoostedTrees*. 3. Migrate: Replace boosted trees usage with XGBoost or sklearn GradientBoostingClassifier — these are actively maintained and functionally equivalent. 4. Isolate: In shared ML platforms, enforce namespace/container isolation between tenants to limit lateral movement from heap exploitation. 5. Detect: Monitor for TF crashes (SIGABRT/SIGSEGV) in training logs, which may indicate exploitation attempts. 6. Version pin: If immediate patching is blocked, restrict boosted trees API access via OPA policies or custom TF op allowlists in training infrastructure.

What systems are affected by CVE-2021-41208?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML infrastructure, model serving, MLOps platforms.

What is the CVSS score for CVE-2021-41208?

CVE-2021-41208 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing `nullptr`s or via `CHECK`-failures) as well as abuse undefined behavior (binding references to `nullptr`s). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no longer use these APIs. We will deprecate TensorFlow's boosted trees APIs in subsequent releases. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared Kubeflow or JupyterHub environment (e.g., a malicious insider or compromised data scientist account) crafts a Python notebook that calls TensorFlow boosted trees APIs with malformed arguments — passing NULL references or uninitialized pointers through BoostedTreesCalculateBestGainsPerFeature. This triggers a heap read, leaking memory contents from the TF process that may include co-located model weights or training data from other users. Alternatively, a heap write overwrites adjacent memory structures, potentially enabling arbitrary code execution within the TF worker process and lateral movement to the underlying Kubernetes node. The low-complexity, no-user-interaction requirement makes this trivially automatable via a malicious training job submitted to a shared cluster.

Weaknesses (CWE)

CWE-476 Primary CWE-476 CWE-824

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 5, 2021
Last Modified
November 21, 2024
First Seen
November 5, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed