Vulnerability DatabaseCVE-2021-29574

CVE-2021-29574:
Python vulnerability analysis and mitigation

Overview

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability (CVE-2021-29574) in the implementation of tf.raw_ops.MaxPool3DGradGrad. The vulnerability was discovered by Ying Wang and Yakun Zhang of Baidu X-Team and disclosed on May 14, 2021. The issue affects TensorFlow versions prior to 2.5.0, including versions 2.1.x, 2.2.x, 2.3.x, and 2.4.x (GitHub Advisory).

Technical details

The vulnerability stems from the implementation's failure to validate tensor inputs, which can lead to undefined behavior through null pointer dereferencing. When an attacker supplies empty tensors as inputs, accessing elements in these tensors results in dereferencing null pointers. The issue received a CVSS v3.1 score of 7.8 HIGH (NVD).

Impact

When exploited, this vulnerability can lead to undefined behavior in the application through null pointer dereferencing. This could potentially result in application crashes or denial of service conditions when processing specially crafted inputs (GitHub Advisory).

Mitigation and workarounds

The issue was patched in GitHub commit a3d9f9be9ac2296615644061b40cefcee341dcc4 and included in TensorFlow 2.5.0. The fix was also backported to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

7.8

Score

Published May 14, 2021

Severity HIGH

CNA Score 2.5

Affected Technologies

Python
TensorFlow

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 3.3

Exploitation Probability (EPSS) N/A

Affected packages and libraries

tensorflow-gpu
cpe:2.3:a:google:tensorflow

Sources

GitHub Advisory Database
- pip Severity LOWHas FixAdded at: Nov 23, 2021
Nix
- Nix Severity HIGHHas FixAdded at: Oct 10, 2023
NVD
- Linux Severity HIGHHas FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Python vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-67748	HIGH	7.1	Python	fickling	No	Yes	Dec 16, 2025
CVE-2025-67747	HIGH	7.1	Python	fickling	No	Yes	Dec 16, 2025
CVE-2025-68113	MEDIUM	6.5	JavaScript	altcha-org/altcha	No	Yes	Dec 16, 2025
CVE-2025-67492	MEDIUM	5.3	Python	weblate	No	Yes	Dec 16, 2025
CVE-2025-67715	MEDIUM	4.3	Python	weblate	No	Yes	Dec 16, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-29574: Python vulnerability analysis and mitigation