CVE-2021-41223: TensorFlow FusedBatchNorm heap OOB

CISO Take

TensorFlow's FusedBatchNorm kernel contains a heap out-of-bounds read exploitable by any local or containerized process with low privileges — a realistic threat on shared GPU training infrastructure and multi-tenant ML platforms. Immediate impact: memory disclosure (other tenants' batch data, model weights) and training job crashes. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 now; audit any shared notebook or training cluster running unpatched TF versions.

What is the risk?

Risk is moderate-to-high in shared ML infrastructure contexts. CVSS 7.1 reflects high confidentiality and availability impact with low attack complexity and no user interaction required. The local attack vector limits internet-facing exposure, but in cloud ML platforms (SageMaker, Vertex AI, self-hosted Jupyter hubs) and containerized training pipelines, 'local' means any co-tenant process or compromised notebook. Not in CISA KEV and dated 2021, so active exploitation likelihood is low for patched environments — but unpatched TF instances are common in data science teams with slow upgrade cycles.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

What should I do?

6 steps

Patch: Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherrypicked fix). Apply to all training workers, inference servers, and notebook environments.
Verify versions: pip show tensorflow | grep Version across all environments.
Container hardening: If patching is delayed, enforce seccomp/AppArmor profiles on TF containers to limit memory read scope.
Isolation: Run training jobs in dedicated namespaces/VMs rather than shared environments.
Detection: Monitor for anomalous TF process crashes (SIGABRT/SIGSEGV in batch norm ops) which may indicate exploitation attempts.
Audit: Identify any TF 2.4.x-2.6.x deployments still in production via SBOM or dependency scan.

How is it classified?

Data Leakage DoS Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment 8.4 - AI system impact assessment

NIST AI RMF

GOVERN-1.7 - Processes for detecting and managing AI risks MANAGE-2.2 - Mechanisms for AI risk response

Frequently Asked Questions

What is CVE-2021-41223?

TensorFlow's FusedBatchNorm kernel contains a heap out-of-bounds read exploitable by any local or containerized process with low privileges — a realistic threat on shared GPU training infrastructure and multi-tenant ML platforms. Immediate impact: memory disclosure (other tenants' batch data, model weights) and training job crashes. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 now; audit any shared notebook or training cluster running unpatched TF versions.

Is CVE-2021-41223 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41223, increasing the risk of exploitation.

How to fix CVE-2021-41223?

1. Patch: Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherrypicked fix). Apply to all training workers, inference servers, and notebook environments. 2. Verify versions: `pip show tensorflow | grep Version` across all environments. 3. Container hardening: If patching is delayed, enforce seccomp/AppArmor profiles on TF containers to limit memory read scope. 4. Isolation: Run training jobs in dedicated namespaces/VMs rather than shared environments. 5. Detection: Monitor for anomalous TF process crashes (SIGABRT/SIGSEGV in batch norm ops) which may indicate exploitation attempts. 6. Audit: Identify any TF 2.4.x-2.6.x deployments still in production via SBOM or dependency scan.

What systems are affected by CVE-2021-41223?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML inference servers, shared ML notebooks, MLOps platforms.

What is the CVSS score for CVE-2021-41223?

CVE-2021-41223 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesML inference serversshared ML notebooksMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `FusedBatchNorm` kernels is vulnerable to a heap OOB access. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared Jupyter notebook server (e.g., a malicious insider, a compromised data scientist account, or a co-tenant in a multi-user ML platform) crafts a TensorFlow graph that triggers FusedBatchNorm with malformed input tensors. Upon execution, the kernel reads beyond the allocated heap buffer. Depending on heap layout, the attacker may recover fragments of adjacent memory — including mini-batch training data from another user's concurrent training job, partial model checkpoint weights, or authentication tokens cached in the process. Alternatively, the OOB read causes a controlled crash, enabling a targeted denial-of-service against a specific training run.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.