CVE-2021-41223 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

TensorFlow's FusedBatchNorm kernel contains a heap out-of-bounds read exploitable by any local or containerized process with low privileges — a realistic threat on shared GPU training infrastructure and multi-tenant ML platforms. Immediate impact: memory disclosure (other tenants' batch data, model weights) and training job crashes. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 now; audit any shared notebook or training cluster running unpatched TF versions.

Risk Assessment

Risk is moderate-to-high in shared ML infrastructure contexts. CVSS 7.1 reflects high confidentiality and availability impact with low attack complexity and no user interaction required. The local attack vector limits internet-facing exposure, but in cloud ML platforms (SageMaker, Vertex AI, self-hosted Jupyter hubs) and containerized training pipelines, 'local' means any co-tenant process or compromised notebook. Not in CISA KEV and dated 2021, so active exploitation likelihood is low for patched environments — but unpatched TF instances are common in data science teams with slow upgrade cycles.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

Recommended Action

6 steps

Patch: Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherrypicked fix). Apply to all training workers, inference servers, and notebook environments.
Verify versions: pip show tensorflow | grep Version across all environments.
Container hardening: If patching is delayed, enforce seccomp/AppArmor profiles on TF containers to limit memory read scope.
Isolation: Run training jobs in dedicated namespaces/VMs rather than shared environments.
Detection: Monitor for anomalous TF process crashes (SIGABRT/SIGSEGV in batch norm ops) which may indicate exploitation attempts.
Audit: Identify any TF 2.4.x-2.6.x deployments still in production via SBOM or dependency scan.

Classification

Data Leakage DoS Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment 8.4 - AI system impact assessment

NIST AI RMF

GOVERN-1.7 - Processes for detecting and managing AI risks MANAGE-2.2 - Mechanisms for AI risk response

Frequently Asked Questions

What is CVE-2021-41223?

TensorFlow's FusedBatchNorm kernel contains a heap out-of-bounds read exploitable by any local or containerized process with low privileges — a realistic threat on shared GPU training infrastructure and multi-tenant ML platforms. Immediate impact: memory disclosure (other tenants' batch data, model weights) and training job crashes. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 now; audit any shared notebook or training cluster running unpatched TF versions.

Is CVE-2021-41223 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41223, increasing the risk of exploitation.

How to fix CVE-2021-41223?

1. Patch: Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (cherrypicked fix). Apply to all training workers, inference servers, and notebook environments. 2. Verify versions: `pip show tensorflow | grep Version` across all environments. 3. Container hardening: If patching is delayed, enforce seccomp/AppArmor profiles on TF containers to limit memory read scope. 4. Isolation: Run training jobs in dedicated namespaces/VMs rather than shared environments. 5. Detection: Monitor for anomalous TF process crashes (SIGABRT/SIGSEGV in batch norm ops) which may indicate exploitation attempts. 6. Audit: Identify any TF 2.4.x-2.6.x deployments still in production via SBOM or dependency scan.

What systems are affected by CVE-2021-41223?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML inference servers, shared ML notebooks, MLOps platforms.

What is the CVSS score for CVE-2021-41223?

CVE-2021-41223 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `FusedBatchNorm` kernels is vulnerable to a heap OOB access. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared Jupyter notebook server (e.g., a malicious insider, a compromised data scientist account, or a co-tenant in a multi-user ML platform) crafts a TensorFlow graph that triggers FusedBatchNorm with malformed input tensors. Upon execution, the kernel reads beyond the allocated heap buffer. Depending on heap layout, the attacker may recover fragments of adjacent memory — including mini-batch training data from another user's concurrent training job, partial model checkpoint weights, or authentication tokens cached in the process. Alternatively, the OOB read causes a controlled crash, enabling a targeted denial-of-service against a specific training run.