CVE-2021-29531 in TensorFlow
Summary
by MITRE • 05/15/2021
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a `CHECK` fail in PNG encoding by providing an empty input tensor as the pixel data. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L57-L60) only validates that the total number of pixels in the image does not overflow. Thus, an attacker can send an empty matrix for encoding. However, if the tensor is empty, then the associated buffer is `nullptr`. Hence, when calling `png::WriteImageToBuffer`(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L79-L93), the first argument (i.e., `image.flat().data()`) is `NULL`. This then triggers the `CHECK_NOTNULL` in the first line of `png::WriteImageToBuffer`(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/lib/png/png_io.cc#L345-L349). Since `image` is null, this results in `abort` being called after printing the stacktrace. Effectively, this allows an attacker to mount a denial of service attack. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/19/2021
The vulnerability CVE-2021-29531 affects TensorFlow's PNG encoding functionality and represents a denial of service condition that stems from inadequate input validation. This flaw exists within the image encoding pipeline where TensorFlow processes tensor data to generate PNG format output. The issue manifests when an attacker provides an empty input tensor as pixel data for PNG encoding operations. The implementation at hand only verifies that the total number of pixels in the image does not cause integer overflow during processing, but fails to validate whether the tensor actually contains valid data. This oversight creates a critical gap in the validation logic that allows malicious actors to exploit the system through crafted empty tensor inputs.
The technical execution of this vulnerability occurs through a specific code path within TensorFlow's kernel implementation for PNG encoding. When an empty tensor is passed to the encode_png_op function, the system attempts to access the tensor's data buffer through the flat() method which returns a nullptr for empty tensors. The subsequent call to png::WriteImageToBuffer function receives this null pointer as its first argument, specifically image.flat().data(), which triggers a CHECK_NOTNULL assertion in the underlying PNG library implementation. This assertion failure causes the program to call abort() and terminate execution, effectively creating a denial of service condition that can be reliably triggered by any attacker with access to the TensorFlow API.
This vulnerability aligns with CWE-476 which describes NULL Pointer Dereference, and demonstrates how inadequate input validation can lead to system instability. From an operational perspective, this flaw represents a significant security concern for any system that exposes TensorFlow's image encoding capabilities to untrusted inputs, such as web applications, data processing pipelines, or machine learning platforms that accept user-uploaded images for processing. The attack vector is straightforward and requires minimal sophistication, making it particularly dangerous in production environments where service availability is critical. The vulnerability affects multiple TensorFlow versions including 2.1.4 through 2.4.1, indicating that it has been present in the codebase for an extended period and could have been exploited in numerous deployments.
The mitigation strategy involves implementing proper validation checks that ensure tensor data is not only non-null but also contains valid pixel information before proceeding with PNG encoding operations. The TensorFlow development team addressed this issue by incorporating additional validation logic that prevents empty tensors from reaching the problematic code path. The fix was included in TensorFlow 2.5.0 and backported to older supported versions including 2.4.2, 2.3.3, 2.2.3, and 2.1.4, demonstrating the severity of the issue and the importance of maintaining secure software practices. Organizations should prioritize updating their TensorFlow installations to versions containing this fix and implement additional monitoring to detect potential exploitation attempts. This vulnerability also highlights the importance of comprehensive input validation in machine learning frameworks, particularly in image processing operations where malformed inputs can trigger system-level failures. The ATT&CK framework categorizes this as a denial of service attack technique, where adversaries leverage software vulnerabilities to disrupt service availability, making it a critical concern for security-conscious deployments of machine learning infrastructure.