CVE-2021-41221: TensorFlow CuDNN heap overflow, local

CISO Take

A local attacker with low privileges on any system running TensorFlow can trigger a heap buffer overflow in CuDNN shape inference, leading to arbitrary code execution under the TF process's identity. In shared GPU training clusters or multi-tenant ML platforms, this is a lateral movement vector. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and audit who has access to shared ML compute infrastructure.

What is the risk?

CVSS 7.8 High with local access requirement limits internet-exposed risk, but shared ML training clusters (common in enterprise and cloud environments) dramatically increase the realistic attack surface. No active exploitation recorded in CISA KEV, but the low complexity and absence of user interaction requirements make this straightforward to weaponize for a local adversary. Risk is elevated for organizations running multi-tenant GPU infrastructure or CI/CD ML pipelines where multiple users submit training jobs to shared hardware.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — apply to all nodes in training clusters, model serving infrastructure, and developer workstations.
ISOLATE

Enforce OS-level isolation (containers/VMs) for multi-tenant ML training jobs; do not run untrusted training scripts under shared GPU user accounts.
VALIDATE

Add input shape validation before passing tensors to CuDNN operations in custom training code as a defense-in-depth measure.
DETECT

Monitor for unexpected process crashes (segfaults) in TensorFlow workers on GPU nodes — these may indicate exploitation attempts or probing activity.
AUDIT

Review access lists for shared ML compute nodes; apply least-privilege to ML pipeline service accounts.

How is it classified?

Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk treatment A.9.1 - Security of AI system resources

NIST AI RMF

GOVERN 6.1 - Third-party AI risk MANAGE 2.2 - Mechanisms to sustain risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41221?

A local attacker with low privileges on any system running TensorFlow can trigger a heap buffer overflow in CuDNN shape inference, leading to arbitrary code execution under the TF process's identity. In shared GPU training clusters or multi-tenant ML platforms, this is a lateral movement vector. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 and audit who has access to shared ML compute infrastructure.

Is CVE-2021-41221 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41221, increasing the risk of exploitation.

How to fix CVE-2021-41221?

1. PATCH: Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — apply to all nodes in training clusters, model serving infrastructure, and developer workstations. 2. ISOLATE: Enforce OS-level isolation (containers/VMs) for multi-tenant ML training jobs; do not run untrusted training scripts under shared GPU user accounts. 3. VALIDATE: Add input shape validation before passing tensors to CuDNN operations in custom training code as a defense-in-depth measure. 4. DETECT: Monitor for unexpected process crashes (segfaults) in TensorFlow workers on GPU nodes — these may indicate exploitation attempts or probing activity. 5. AUDIT: Review access lists for shared ML compute nodes; apply least-privilege to ML pipeline service accounts.

What systems are affected by CVE-2021-41221?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, GPU compute clusters, CI/CD ML pipelines.

What is the CVSS score for CVE-2021-41221?

CVE-2021-41221 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingGPU compute clustersCI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2, A.9.1

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the `Cudnn*` operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the `input`, `input_h` and `input_c` parameters are not validated, but code assumes they have certain values. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privilege account on a shared GPU training cluster (e.g., a compromised data scientist account via credential phishing) submits a crafted training script that calls a Cudnn* operation with tensors whose input, input_h, or input_c ranks deviate from expected values. TensorFlow's shape inference code accesses memory beyond the allocated heap buffer without rank validation, triggering a heap buffer overflow. With careful memory layout manipulation, the attacker achieves arbitrary write primitives, injects shellcode, and escalates to the process owner's privileges — potentially compromising the entire GPU node and any models, credentials, or training data accessible by that process.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.