AI Threat Alert

CVE-2021-41224: TensorFlow: heap OOB read in SparseFillEmptyRows op

HIGH PoC AVAILABLE
Published November 5, 2021
CISO Take

Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately. Any pipeline processing sparse tensors from untrusted sources is at risk — an attacker can trigger a heap out-of-bounds read to leak adjacent memory or crash the process. Prioritize model serving endpoints that accept sparse tensor inputs from external users.

What is the risk?

Moderate-high risk for organizations running unpatched TensorFlow in shared or externally-accessible ML infrastructure. CVSS 7.1 (High) with local attack vector limits remote-only exploitation, but multi-tenant ML platforms, Jupyter environments, or serving APIs that process user-supplied sparse tensors are viable attack surfaces. No active exploitation observed and not in CISA KEV, but the low attack complexity (AC:L) means exploitation is straightforward once access is obtained.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 per the advisory.

  2. Input validation: Enforce that indices and values arrays are equal in length before invoking SparseFillEmptyRows or any sparse tensor op.

  3. Isolation: Run TensorFlow training and serving in containers with restricted privileges to limit heap disclosure blast radius.

  4. SBOM

    Audit all TensorFlow instances in production using your software inventory — this includes transitive dependencies in ML pipelines.

  5. Detection: Alert on abnormal TensorFlow process crashes or SIGABRT signals in serving infrastructure as a potential exploitation indicator.

How is it classified?

Code Execution DoS Framework Training Data AML.T0010.001 AML.T0043 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41224?

Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately. Any pipeline processing sparse tensors from untrusted sources is at risk — an attacker can trigger a heap out-of-bounds read to leak adjacent memory or crash the process. Prioritize model serving endpoints that accept sparse tensor inputs from external users.

Is CVE-2021-41224 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41224, increasing the risk of exploitation.

How to fix CVE-2021-41224?

1. Patch: Upgrade to TensorFlow 2.7.0, 2.6.1, 2.5.2, or 2.4.4 per the advisory. 2. Input validation: Enforce that indices and values arrays are equal in length before invoking SparseFillEmptyRows or any sparse tensor op. 3. Isolation: Run TensorFlow training and serving in containers with restricted privileges to limit heap disclosure blast radius. 4. SBOM: Audit all TensorFlow instances in production using your software inventory — this includes transitive dependencies in ML pipelines. 5. Detection: Alert on abnormal TensorFlow process crashes or SIGABRT signals in serving infrastructure as a potential exploitation indicator.

What systems are affected by CVE-2021-41224?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing pipelines, recommendation systems.

What is the CVSS score for CVE-2021-41224?

CVE-2021-41224 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingdata preprocessing pipelinesrecommendation systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SparseFillEmptyRows` can be made to trigger a heap OOB access. This occurs whenever the size of `indices` does not match the size of `values`. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a model serving API or data ingestion pipeline submits a crafted sparse tensor payload where the indices array length does not match the values array length. When TensorFlow internally calls SparseFillEmptyRows — for example, during sparse feature preprocessing in a recommendation model — it reads beyond the allocated heap buffer. In a multi-tenant ML platform or a training pipeline processing uploaded datasets, a malicious record can trigger the condition, leaking heap contents from adjacent memory pages (potentially including model parameters or API tokens stored in the process) or crashing the training worker, disrupting operations.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
November 5, 2021
Last Modified
November 21, 2024
First Seen
November 5, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed