CVE-2021-41226 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

A heap out-of-bounds access in TensorFlow's SparseBinCount operator allows a low-privileged local attacker to read heap memory or crash the process. In shared ML compute environments (Jupyter hubs, MLOps clusters), this can be triggered via crafted training data or inference inputs. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — all ship the fix.

Risk Assessment

CVSS 7.1 (High) with local attack vector reduces immediate internet-facing exposure, but in multi-tenant ML platforms and shared data science environments the effective attack surface is significant. Low complexity and low privileges required means any user with access to the TF runtime can trigger this. The combination of confidentiality impact (heap read = potential secrets/model weights disclosure) and availability impact (crash) makes this a meaningful operational risk for teams running shared TF infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.7.0 (latest at disclosure) or cherrypick fixes for supported branches: 2.6.1, 2.5.2, 2.4.4.
Audit all environments running TF — particularly shared Jupyter hubs, MLflow tracking servers, and Kubeflow pipelines.
As a workaround where patching is delayed, validate sparse tensor shapes and value ranges at ingestion boundaries before passing to SparseBinCount.
Enable process crash alerting on ML workers to detect exploitation attempts.
Scan container images and virtual environments for pinned vulnerable TF versions using pip-audit or Grype.

Classification

Code Execution DoS Data Extraction Framework Training Data Inference AML.T0002.000 - Datasets AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system for high-risk AI

ISO 42001

A.6.2.5 - AI system vulnerability management

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms for tracking, responding to AI risks

Frequently Asked Questions

What is CVE-2021-41226?

A heap out-of-bounds access in TensorFlow's SparseBinCount operator allows a low-privileged local attacker to read heap memory or crash the process. In shared ML compute environments (Jupyter hubs, MLOps clusters), this can be triggered via crafted training data or inference inputs. Patch immediately to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 — all ship the fix.

Is CVE-2021-41226 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41226, increasing the risk of exploitation.

How to fix CVE-2021-41226?

1. Upgrade TensorFlow to 2.7.0 (latest at disclosure) or cherrypick fixes for supported branches: 2.6.1, 2.5.2, 2.4.4. 2. Audit all environments running TF — particularly shared Jupyter hubs, MLflow tracking servers, and Kubeflow pipelines. 3. As a workaround where patching is delayed, validate sparse tensor shapes and value ranges at ingestion boundaries before passing to SparseBinCount. 4. Enable process crash alerting on ML workers to detect exploitation attempts. 5. Scan container images and virtual environments for pinned vulnerable TF versions using pip-audit or Grype.

What systems are affected by CVE-2021-41226?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute environments, data preprocessing pipelines.

What is the CVSS score for CVE-2021-41226?

CVE-2021-41226 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SparseBinCount` is vulnerable to a heap OOB access. This is because of missing validation between the elements of the `values` argument and the shape of the sparse output. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with read access to a shared ML training cluster submits a malicious dataset where a sparse tensor fed into a SparseBinCount operation has a values array whose element count doesn't match the declared sparse output shape. TensorFlow skips shape validation, triggering a heap OOB read. In a Jupyter multi-user environment, this could leak heap contents from adjacent allocations — potentially exposing model weights, API keys stored in environment variables, or session tokens from other users' processes. In worst-case scenarios on unprotected allocators, adjacent write paths could achieve code execution.