CVE-2021-41227: TensorFlow OOB read

CISO Take

A local attacker with low privileges can read arbitrary process memory through TensorFlow's ImmutableConst operation by exploiting improper handling of memory-mapped tstring types. In shared ML infrastructure (multi-tenant GPU clusters, notebook servers), this could expose model weights, API credentials, or training data held in process memory. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately; restrict local access to ML training and serving environments as compensating control.

What is the risk?

Medium overall, elevated in shared-compute ML environments. The local attack vector is the primary risk limiter — exploitation requires a foothold on the TensorFlow host. However, ML infrastructure frequently runs on shared GPU servers or multi-tenant Jupyter environments where local access is common and expected. In those contexts, the confidentiality impact is effectively HIGH: an adversary co-tenant could craft a malicious saved model or graph and read sensitive data from the TF runtime process memory. No integrity or availability impact. EPSS data unavailable but CWE-125 out-of-bounds reads in popular ML frameworks are regularly targeted post-exploitation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.7.0+, 2.6.1+, 2.5.2+, or 2.4.4+ (commits 1cb6bb6 and 3712a2d).
VALIDATE INPUT

Reject SavedModels or TF graphs from untrusted sources before execution — scan for ImmutableConst ops with memory-mapped string tensors until patched.
ISOLATE

Run TensorFlow inference/training workloads in dedicated containers or VMs with minimal privileges; do not share TF worker processes across trust boundaries.
AUDIT

Inventory all TF versions deployed in training and serving pipelines; include transitive dependencies in ML Docker images.
DETECT

Monitor for unexpected process memory spikes or model files containing tstring memory-mapped constants in production serving.

How is it classified?

Data Extraction Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.3 - Information security in AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to respond to and recover from identified AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41227?

A local attacker with low privileges can read arbitrary process memory through TensorFlow's ImmutableConst operation by exploiting improper handling of memory-mapped tstring types. In shared ML infrastructure (multi-tenant GPU clusters, notebook servers), this could expose model weights, API credentials, or training data held in process memory. Patch to TF 2.7.0, 2.6.1, 2.5.2, or 2.4.4 immediately; restrict local access to ML training and serving environments as compensating control.

Is CVE-2021-41227 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41227, increasing the risk of exploitation.

How to fix CVE-2021-41227?

1. PATCH: Upgrade TensorFlow to 2.7.0+, 2.6.1+, 2.5.2+, or 2.4.4+ (commits 1cb6bb6 and 3712a2d). 2. VALIDATE INPUT: Reject SavedModels or TF graphs from untrusted sources before execution — scan for ImmutableConst ops with memory-mapped string tensors until patched. 3. ISOLATE: Run TensorFlow inference/training workloads in dedicated containers or VMs with minimal privileges; do not share TF worker processes across trust boundaries. 4. AUDIT: Inventory all TF versions deployed in training and serving pipelines; include transitive dependencies in ML Docker images. 5. DETECT: Monitor for unexpected process memory spikes or model files containing tstring memory-mapped constants in production serving.

What systems are affected by CVE-2021-41227?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, on-premise ML infrastructure, shared notebook environments, MLaaS platforms executing user-submitted models.

What is the CVSS score for CVE-2021-41227?

CVE-2021-41227 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingon-premise ML infrastructureshared notebook environmentsMLaaS platforms executing user-submitted models

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.001 Malicious Package

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. In affected versions the `ImmutableConst` operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the `tstring` TensorFlow string class has a special case for memory mapped strings but the operation itself does not offer any support for this datatype. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access to a shared ML training server (e.g., a data scientist account on a GPU cluster) crafts a malicious TensorFlow SavedModel containing an ImmutableConst operation with a carefully constructed memory-mapped tstring tensor. When the model is loaded and executed — either by their own session or by tricking the platform into running it — the out-of-bounds read traverses adjacent memory regions of the TF process. This could expose API keys loaded by a co-tenant's training job, model weights stored in memory, or environment variables containing database credentials, all without triggering application-layer alerts.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.