CVE-2021-41214 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A null pointer dereference in TensorFlow's tf.ragged.cross shape inference enables local attackers with minimal privileges to achieve arbitrary code execution (CVSS 7.8, C:H/I:H/A:H). In shared ML environments—Jupyter hubs, Kubeflow clusters, SageMaker Studio multi-user—any authenticated user can exploit this without interaction. Patch immediately to TensorFlow 2.7.0 or apply the backport commits available for 2.6.1/2.5.2/2.4.4.

Risk Assessment

High risk in multi-tenant ML infrastructure. Low attack complexity and no user interaction required make exploitation reliable once local access is established. Shared training clusters and notebook environments are the highest-exposure surface—data scientists commonly have local script execution in these environments. Single-user workstations are lower risk but should still be patched. Not in CISA KEV and no confirmed active exploitation at time of disclosure, reducing urgency slightly for isolated deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.7.0 or apply the cherry-picked patch (commit fa6b7782) to supported versions 2.6.1, 2.5.2, or 2.4.4.
Audit all TensorFlow versions across training clusters, notebook servers, model serving infra, and CI/CD pipelines—version drift is common in ML environments.
Enforce least-privilege service accounts for ML training jobs; limit blast radius if exploited.
In shared environments, isolate user workspaces with namespace-level or container-level boundaries.
Monitor for unexpected process spawning or outbound network connections from TensorFlow training jobs as a detection signal.

Classification

Code Execution Framework AML.T0010.001 - AI Software AML.T0016.001 - Software Tools

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41214?

A null pointer dereference in TensorFlow's tf.ragged.cross shape inference enables local attackers with minimal privileges to achieve arbitrary code execution (CVSS 7.8, C:H/I:H/A:H). In shared ML environments—Jupyter hubs, Kubeflow clusters, SageMaker Studio multi-user—any authenticated user can exploit this without interaction. Patch immediately to TensorFlow 2.7.0 or apply the backport commits available for 2.6.1/2.5.2/2.4.4.

Is CVE-2021-41214 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41214, increasing the risk of exploitation.

How to fix CVE-2021-41214?

1. Upgrade TensorFlow to 2.7.0 or apply the cherry-picked patch (commit fa6b7782) to supported versions 2.6.1, 2.5.2, or 2.4.4. 2. Audit all TensorFlow versions across training clusters, notebook servers, model serving infra, and CI/CD pipelines—version drift is common in ML environments. 3. Enforce least-privilege service accounts for ML training jobs; limit blast radius if exploited. 4. In shared environments, isolate user workspaces with namespace-level or container-level boundaries. 5. Monitor for unexpected process spawning or outbound network connections from TensorFlow training jobs as a detection signal.

What systems are affected by CVE-2021-41214?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, feature engineering pipelines, shared notebook environments, model serving.

What is the CVSS score for CVE-2021-41214?

CVE-2021-41214 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `tf.ragged.cross` has an undefined behavior due to binding a reference to `nullptr`. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with a low-privilege data scientist account on a shared Kubeflow or JupyterHub cluster crafts a Python script calling tf.ragged.cross with malformed ragged tensor inputs designed to pass shape inference and trigger the null pointer dereference in the C++ kernel. The resulting memory corruption in the TensorFlow runtime allows shellcode or ROP chain execution under the training pod's service account, which typically carries broad permissions to object storage (S3/GCS), model registries, and secrets managers. The attacker exfiltrates model artifacts and cloud credentials, then uses those credentials for lateral movement into production inference infrastructure.