AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-29577: TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.AvgPool3DGrad`

lowvulnerability

security

Source: NVD/CVE DatabaseMay 14, 2021CVE-2021-29577

Summary

A vulnerability called CVE-2021-29577 exists in TensorFlow (an open source platform for machine learning) in a function called `tf.raw_ops.AvgPool3DGrad`. The function has a heap buffer overflow (a memory safety bug where code writes data beyond the limits of allocated memory), which happens because the code assumes two data structures called `orig_input_shape` and `grad` tensors (multi-dimensional arrays of data) have matching dimensions but doesn't actually verify this before proceeding.

Solution / Mitigation

The fix will be included in TensorFlow 2.5.0. TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4 will also receive this fix through a cherrypick commit, as these versions are still supported.

Vulnerability Details

CVSS Score

2.5(low)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrityavailability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-119 CWE-787

CAPEC (Attack Pattern)

CAPEC-100

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-29577

First tracked: February 15, 2026 at 08:39 PM

Classified by LLM (prompt v3) · confidence: 95%