AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-29520: TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to `tf.raw_o

lowvulnerability

security

Source: NVD/CVE DatabaseMay 14, 2021CVE-2021-29520

Summary

TensorFlow, a machine learning platform, has a vulnerability in its `tf.raw_ops.Conv3DBackprop*` operations where missing validation of input arguments can cause a heap buffer overflow (a crash or security issue where a program writes data beyond its allocated memory). The problem occurs because the code assumes three data structures (called tensors) have matching shapes, but doesn't check this before accessing them simultaneously.

Solution / Mitigation

The fix will be included in TensorFlow 2.5.0 and will be backported to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.

Vulnerability Details

CVSS Score

2.5(low)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationAdvanced

Impact (CIA+S)

integrityavailability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-120 CWE-787

CAPEC (Attack Pattern)

CAPEC-100

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-29520

First tracked: February 15, 2026 at 08:38 PM

Classified by LLM (prompt v3) · confidence: 95%