CVE-2021-41221 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A local attacker with low privileges on any system running TensorFlow can trigger a heap buffer overflow in CuDNN shape inference, leading to arbitrary code execution under the TF process's identity. In shared GPU training clusters or multi-tenant ML platforms, this is a lateral movement vector. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and audit who has access to shared ML compute infrastructure.

Risk Assessment

CVSS 7.8 High with local access requirement limits internet-exposed risk, but shared ML training clusters (common in enterprise and cloud environments) dramatically increase the realistic attack surface. No active exploitation recorded in CISA KEV, but the low complexity and absence of user interaction requirements make this straightforward to weaponize for a local adversary. Risk is elevated for organizations running multi-tenant GPU infrastructure or CI/CD ML pipelines where multiple users submit training jobs to shared hardware.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — apply to all nodes in training clusters, model serving infrastructure, and developer workstations.
ISOLATE

Enforce OS-level isolation (containers/VMs) for multi-tenant ML training jobs; do not run untrusted training scripts under shared GPU user accounts.
VALIDATE

Add input shape validation before passing tensors to CuDNN operations in custom training code as a defense-in-depth measure.
DETECT

Monitor for unexpected process crashes (segfaults) in TensorFlow workers on GPU nodes — these may indicate exploitation attempts or probing activity.
AUDIT

Review access lists for shared ML compute nodes; apply least-privilege to ML pipeline service accounts.

Classification

Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk treatment A.9.1 - Security of AI system resources

NIST AI RMF

GOVERN 6.1 - Third-party AI risk MANAGE 2.2 - Mechanisms to sustain risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41221?

A local attacker with low privileges on any system running TensorFlow can trigger a heap buffer overflow in CuDNN shape inference, leading to arbitrary code execution under the TF process's identity. In shared GPU training clusters or multi-tenant ML platforms, this is a lateral movement vector. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and audit who has access to shared ML compute infrastructure.

Is CVE-2021-41221 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41221, increasing the risk of exploitation.

How to fix CVE-2021-41221?

1. PATCH: Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — apply to all nodes in training clusters, model serving infrastructure, and developer workstations. 2. ISOLATE: Enforce OS-level isolation (containers/VMs) for multi-tenant ML training jobs; do not run untrusted training scripts under shared GPU user accounts. 3. VALIDATE: Add input shape validation before passing tensors to CuDNN operations in custom training code as a defense-in-depth measure. 4. DETECT: Monitor for unexpected process crashes (segfaults) in TensorFlow workers on GPU nodes — these may indicate exploitation attempts or probing activity. 5. AUDIT: Review access lists for shared ML compute nodes; apply least-privilege to ML pipeline service accounts.

What systems are affected by CVE-2021-41221?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, GPU compute clusters, CI/CD ML pipelines.

What is the CVSS score for CVE-2021-41221?

CVE-2021-41221 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the `Cudnn*` operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the `input`, `input_h` and `input_c` parameters are not validated, but code assumes they have certain values. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privilege account on a shared GPU training cluster (e.g., a compromised data scientist account via credential phishing) submits a crafted training script that calls a Cudnn* operation with tensors whose input, input_h, or input_c ranks deviate from expected values. TensorFlow's shape inference code accesses memory beyond the allocated heap buffer without rank validation, triggering a heap buffer overflow. With careful memory layout manipulation, the attacker achieves arbitrary write primitives, injects shellcode, and escalates to the process owner's privileges — potentially compromising the entire GPU node and any models, credentials, or training data accessible by that process.