AI Threat Alert AI Threat Alert

CVE-2021-41209: TensorFlow: DoS via division-by-zero in conv ops

MEDIUM PoC AVAILABLE
Published November 5, 2021
CISO Take

A crafted empty filter tensor crashes TensorFlow convolution operations, taking down inference workers. Exploitable by any process or user able to submit tensor inputs — elevated risk in multi-tenant ML serving environments. Patch to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and add input validation at serving boundaries.

Risk Assessment

Medium risk in isolated environments; elevated in multi-tenant or API-exposed ML inference deployments. Attack complexity is trivial once access exists, but the local/low-privilege requirement limits blast radius. Pure availability threat — no confidentiality or integrity impact. Unpatched deployments using TensorFlow convolution layers in user-facing inference APIs are the highest-risk scenario.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

1 step

  1. 1) Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherry-picked fix available for 2.4.x–2.6.x). 2) Validate tensor shapes at API boundaries — reject empty or zero-dimension filter tensors before they reach convolution ops. 3) Deploy TensorFlow Serving behind input validation middleware (schema enforcement on tensor shapes/dtypes). 4) Enable automatic process restart for inference workers (Kubernetes liveness probes, systemd restart policies). 5) Audit all model serving endpoints that accept user-controlled tensor inputs and apply rate limiting.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.8 - AI system security and resilience
NIST AI RMF
MANAGE-2.2 - AI Risk Mitigation — Robustness
OWASP LLM Top 10
LLM04:2025 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-41209?

A crafted empty filter tensor crashes TensorFlow convolution operations, taking down inference workers. Exploitable by any process or user able to submit tensor inputs — elevated risk in multi-tenant ML serving environments. Patch to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and add input validation at serving boundaries.

Is CVE-2021-41209 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41209, increasing the risk of exploitation.

How to fix CVE-2021-41209?

1) Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherry-picked fix available for 2.4.x–2.6.x). 2) Validate tensor shapes at API boundaries — reject empty or zero-dimension filter tensors before they reach convolution ops. 3) Deploy TensorFlow Serving behind input validation middleware (schema enforcement on tensor shapes/dtypes). 4) Enable automatic process restart for inference workers (Kubernetes liveness probes, systemd restart policies). 5) Audit all model serving endpoints that accept user-controlled tensor inputs and apply rate limiting.

What systems are affected by CVE-2021-41209?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference infrastructure.

What is the CVSS score for CVE-2021-41209?

CVE-2021-41209 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a TensorFlow-based model inference endpoint — whether internal developer, compromised CI pipeline, or external API consumer — submits an inference request with an empty filter tensor targeting any model that includes convolution layers (e.g., a CNN for image classification or object detection). The convolution operator triggers a divide-by-zero, crashing the inference worker process. Without restart automation, the service goes offline. In a shared GPU inference cluster, a single attacker request can deny service across all tenants sharing that worker. In an active training run, injecting the payload via a poisoned data loader crashes the job and wastes compute resources.

Weaknesses (CWE)

CWE-369

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 5, 2021
Last Modified
November 21, 2024
First Seen
November 5, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed