CVE-2021-41215 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This medium-severity vulnerability allows a local low-privilege user to crash TensorFlow processes by supplying malformed sparse tensor data to DeserializeSparse, causing a null pointer dereference. Risk is primarily in shared ML platforms, Jupyter hubs, or multi-tenant training environments where untrusted users can execute TF code. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4.

Risk Assessment

MEDIUM-LOW in most deployments. Local access vector (AV:L) significantly limits exposure — an attacker must already have code execution on the target system. However, in shared ML infrastructure (e.g., internal notebook servers, MLOps platforms with shared GPU clusters), a low-privilege user can reliably crash training jobs or inference workers. No active exploitation reported, not in CISA KEV. Impact is limited to availability (DoS), with no confidentiality or integrity implications.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.7.0, or apply cherrypicked fixes in 2.6.1, 2.5.2, or 2.4.4. Verify via pip show tensorflow.
ISOLATE

If patching is not immediately possible, run TF workloads in isolated containers/VMs per tenant to limit blast radius.
INPUT VALIDATION

Add pre-processing checks to validate sparse tensor rank and shape (last dimension == 3) before passing to DeserializeSparse.
MONITOR

Alert on unexpected TF process crashes (SIGABRT/segfault) in ML infrastructure — repeated crashes may indicate exploitation attempts.
INVENTORY

Identify all internal services consuming sparse tensor inputs from external or untrusted sources.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.7.4 - Information security in the AI system lifecycle

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place for monitoring, updating, and improvement of AI risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41215?

This medium-severity vulnerability allows a local low-privilege user to crash TensorFlow processes by supplying malformed sparse tensor data to DeserializeSparse, causing a null pointer dereference. Risk is primarily in shared ML platforms, Jupyter hubs, or multi-tenant training environments where untrusted users can execute TF code. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4.

Is CVE-2021-41215 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41215, increasing the risk of exploitation.

How to fix CVE-2021-41215?

1. PATCH: Upgrade to TensorFlow 2.7.0, or apply cherrypicked fixes in 2.6.1, 2.5.2, or 2.4.4. Verify via `pip show tensorflow`. 2. ISOLATE: If patching is not immediately possible, run TF workloads in isolated containers/VMs per tenant to limit blast radius. 3. INPUT VALIDATION: Add pre-processing checks to validate sparse tensor rank and shape (last dimension == 3) before passing to DeserializeSparse. 4. MONITOR: Alert on unexpected TF process crashes (SIGABRT/segfault) in ML infrastructure — repeated crashes may indicate exploitation attempts. 5. INVENTORY: Identify all internal services consuming sparse tensor inputs from external or untrusted sources.

What systems are affected by CVE-2021-41215?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML platforms.

What is the CVSS score for CVE-2021-41215?

CVE-2021-41215 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `DeserializeSparse` can trigger a null pointer dereference. This is because the shape inference function assumes that the `serialize_sparse` tensor is a tensor with positive rank (and having `3` as the last dimension). The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An internal threat actor or compromised service account with access to a shared Jupyter notebook server crafts a TensorFlow graph where DeserializeSparse receives a serialize_sparse tensor with rank 0 or an invalid last dimension. When executed — either directly or injected into a shared training pipeline — the shape inference code dereferences a null pointer, crashing the TF runtime process. In a shared ML platform, this terminates all co-located training jobs, causing denial of service for other users. If TF serves an inference endpoint (e.g., TF Serving on an internal model server), a malformed inference request containing a crafted sparse tensor achieves the same crash, taking down the serving process until restarted.