CVE-2021-41209: TensorFlow DoS via division-by-zero

CISO Take

A crafted empty filter tensor crashes TensorFlow convolution operations, taking down inference workers. Exploitable by any process or user able to submit tensor inputs — elevated risk in multi-tenant ML serving environments. Patch to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and add input validation at serving boundaries.

What is the risk?

Medium risk in isolated environments; elevated in multi-tenant or API-exposed ML inference deployments. Attack complexity is trivial once access exists, but the local/low-privilege requirement limits blast radius. Pure availability threat — no confidentiality or integrity impact. Unpatched deployments using TensorFlow convolution layers in user-facing inference APIs are the highest-risk scenario.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 3% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

1 step

1) Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherry-picked fix available for 2.4.x–2.6.x). 2) Validate tensor shapes at API boundaries — reject empty or zero-dimension filter tensors before they reach convolution ops. 3) Deploy TensorFlow Serving behind input validation middleware (schema enforcement on tensor shapes/dtypes). 4) Enable automatic process restart for inference workers (Kubernetes liveness probes, systemd restart policies). 5) Audit all model serving endpoints that accept user-controlled tensor inputs and apply rate limiting.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.8 - AI system security and resilience

NIST AI RMF

MANAGE-2.2 - AI Risk Mitigation — Robustness

OWASP LLM Top 10

LLM04:2025 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-41209?

A crafted empty filter tensor crashes TensorFlow convolution operations, taking down inference workers. Exploitable by any process or user able to submit tensor inputs — elevated risk in multi-tenant ML serving environments. Patch to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and add input validation at serving boundaries.

Is CVE-2021-41209 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41209, increasing the risk of exploitation.

How to fix CVE-2021-41209?

1) Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherry-picked fix available for 2.4.x–2.6.x). 2) Validate tensor shapes at API boundaries — reject empty or zero-dimension filter tensors before they reach convolution ops. 3) Deploy TensorFlow Serving behind input validation middleware (schema enforcement on tensor shapes/dtypes). 4) Enable automatic process restart for inference workers (Kubernetes liveness probes, systemd restart policies). 5) Audit all model serving endpoints that accept user-controlled tensor inputs and apply rate limiting.

What systems are affected by CVE-2021-41209?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference infrastructure.

What is the CVSS score for CVE-2021-41209?

CVE-2021-41209 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.14%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servinginference infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.8

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions the implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a TensorFlow-based model inference endpoint — whether internal developer, compromised CI pipeline, or external API consumer — submits an inference request with an empty filter tensor targeting any model that includes convolution layers (e.g., a CNN for image classification or object detection). The convolution operator triggers a divide-by-zero, crashing the inference worker process. Without restart automation, the service goes offline. In a shared GPU inference cluster, a single attacker request can deny service across all tenants sharing that worker. In an active training run, injecting the payload via a poisoned data loader crashes the job and wastes compute resources.