Input validation error in TensorFlow - CVE-2021-29591
Published: May 13, 2021 / Updated: May 4, 2026
Vulnerability identifier: #VU129300
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-29591
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TensorFlow
TensorFlow
Software vendor:
TensorFlow
TensorFlow
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the TFLite subgraph evaluation logic when parsing a crafted model with looping subgraphs. A remote attacker can supply a specially crafted model to cause a denial of service.
In certain cases, the infinite loop is replaced by a stack overflow caused by excessive recursive calls. The issue can be triggered when the body and loop subgraphs reference the same subgraph in the While operator.
Remediation
Install security update from vendor's website.