AI Threat Alert AI Threat Alert

CVE-2021-41227: TensorFlow: OOB read in ImmutableConst leaks memory

MEDIUM PoC AVAILABLE
Published November 5, 2021
CISO Take

A local attacker with low privileges can read arbitrary process memory through TensorFlow's ImmutableConst operation by exploiting improper handling of memory-mapped tstring types. In shared ML infrastructure (multi-tenant GPU clusters, notebook servers), this could expose model weights, API credentials, or training data held in process memory. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately; restrict local access to ML training and serving environments as compensating control.

Risk Assessment

Medium overall, elevated in shared-compute ML environments. The local attack vector is the primary risk limiter — exploitation requires a foothold on the TensorFlow host. However, ML infrastructure frequently runs on shared GPU servers or multi-tenant Jupyter environments where local access is common and expected. In those contexts, the confidentiality impact is effectively HIGH: an adversary co-tenant could craft a malicious saved model or graph and read sensitive data from the TF runtime process memory. No integrity or availability impact. EPSS data unavailable but CWE-125 out-of-bounds reads in popular ML frameworks are regularly targeted post-exploitation.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

Recommended Action

5 steps

  1. PATCH

    Upgrade TensorFlow to 2.7.0+, 2.6.1+, 2.5.2+, or 2.4.4+ (commits 1cb6bb6 and 3712a2d).

  2. VALIDATE INPUT

    Reject SavedModels or TF graphs from untrusted sources before execution — scan for ImmutableConst ops with memory-mapped string tensors until patched.

  3. ISOLATE

    Run TensorFlow inference/training workloads in dedicated containers or VMs with minimal privileges; do not share TF worker processes across trust boundaries.

  4. AUDIT

    Inventory all TF versions deployed in training and serving pipelines; include transitive dependencies in ML Docker images.

  5. DETECT

    Monitor for unexpected process memory spikes or model files containing tstring memory-mapped constants in production serving.

Classification

Data Extraction Supply Chain Framework Inference AML.T0010.001 AML.T0011.001 AML.T0025 AML.T0037

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.3 - Information security in AI system lifecycle
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place to respond to and recover from identified AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41227?

A local attacker with low privileges can read arbitrary process memory through TensorFlow's ImmutableConst operation by exploiting improper handling of memory-mapped tstring types. In shared ML infrastructure (multi-tenant GPU clusters, notebook servers), this could expose model weights, API credentials, or training data held in process memory. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately; restrict local access to ML training and serving environments as compensating control.

Is CVE-2021-41227 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41227, increasing the risk of exploitation.

How to fix CVE-2021-41227?

1. PATCH: Upgrade TensorFlow to 2.7.0+, 2.6.1+, 2.5.2+, or 2.4.4+ (commits 1cb6bb6 and 3712a2d). 2. VALIDATE INPUT: Reject SavedModels or TF graphs from untrusted sources before execution — scan for ImmutableConst ops with memory-mapped string tensors until patched. 3. ISOLATE: Run TensorFlow inference/training workloads in dedicated containers or VMs with minimal privileges; do not share TF worker processes across trust boundaries. 4. AUDIT: Inventory all TF versions deployed in training and serving pipelines; include transitive dependencies in ML Docker images. 5. DETECT: Monitor for unexpected process memory spikes or model files containing tstring memory-mapped constants in production serving.

What systems are affected by CVE-2021-41227?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, on-premise ML infrastructure, shared notebook environments, MLaaS platforms executing user-submitted models.

What is the CVSS score for CVE-2021-41227?

CVE-2021-41227 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the `ImmutableConst` operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the `tstring` TensorFlow string class has a special case for memory mapped strings but the operation itself does not offer any support for this datatype. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access to a shared ML training server (e.g., a data scientist account on a GPU cluster) crafts a malicious TensorFlow SavedModel containing an ImmutableConst operation with a carefully constructed memory-mapped tstring tensor. When the model is loaded and executed — either by their own session or by tricking the platform into running it — the out-of-bounds read traverses adjacent memory regions of the TF process. This could expose API keys loaded by a co-tenant's training job, model weights stored in memory, or environment variables containing database credentials, all without triggering application-layer alerts.

Weaknesses (CWE)

CWE-125 Primary CWE-125

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
November 5, 2021
Last Modified
November 21, 2024
First Seen
November 5, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed