CVE-2022-35959

TensorFlow is an open source platform for machine learning. The implementation of AvgPool3DGradOp does not fully validate the input originputshape. This results in an overflow that results in a CHECK failure which can be used to trigger a denial of service attack. We have patched the issue in...

CVE-2022-35940 Int overflow in `RaggedRangeOp` in Tensoflow

TensorFlow is an open source platform for machine learning. The RaggedRangOp function takes an argument limits that is eventually used to construct a TensorShape as an int64. If limits is a very large float, it can overflow when converted to an int64. This triggers an InvalidArgument but also...

`CHECK`-failures in `TensorByteSize` in Tensorflow

Impact A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures. cc int64t TensorByteSizeconst TensorProto& t // numelements returns -1 if shape is not fully defined. int64t numelems = TensorShapet.tensorshape.numelements; retur...

GHSA-5F2R-QP73-37MR `CHECK`-failures during Grappler's `SafeToRemoveIdentity` in Tensorflow

Impact The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that SafeToRemoveIdentity would trigger CHECK failures. Patches We have patched the issue in GitHub commit 92dba16749fae36c246bec3f9ba474d9ddeb7662. The fix will be included in...

GHSA-QX3F-P745-W4HR Integer overflow in Tensorflow

Impact The implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. Patches We have patched the issue in GitHub commit f0147751fd5d2ff23251149ebad9af9f03010732 merging 51733. The fix will be included in...

GHSA-627Q-G293-49Q7 Abort caused by allocating a vector that is too large in Tensorflow

Impact During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user: cc const auto numdims = Valueshapedim; std::vector dims; dims.reservenumdims; Patches We have patched the issue in GitHub commit 1361fb7e29449629e1df94d44e0427ebec8c83c7. T...

GHSA-FQ86-3F29-PX2C `CHECK`-failures during Grappler's `IsSimplifiableReshape` in Tensorflow

Impact The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that IsSimplifiableReshape would trigger CHECK failures. Patches We have patched the issue in GitHub commits ebc1a2ffe5a7573d905e99bd0ee3568ee07c12c1,...

PYSEC-2022-99

Tensorflow is an Open Source Machine Learning Framework. A GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it. We have patched the issue in multiple...

GHSA-M342-FF57-4JCC Heap OOB read in `tf.raw_ops.SparseCountSparseOutput`

Impact The shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array: python import tensorflow as tf @tf.function def func: return tf.rawops.SparseCountSparseOutput indices=1, values=1, denseshape=10, weights=, binaryoutput= True func The...

GHSA-CPF4-WX82-GXP6 Segfault due to negative splits in `SplitV`

Impact The implementation of SplitV can trigger a segfault is an attacker supplies negative arguments: python import tensorflow as tf tf.rawops.SplitV value=tf.constant, sizesplits=-1, -2 ,axis=0, numsplit=2 This occurs whenever sizesplits contains more than one value and at least one value is...

GHSA-RG3M-HQC5-344V `SparseFillEmptyRows` heap OOB

Impact The implementation of SparseFillEmptyRows can be made to trigger a heap OOB access: python import tensorflow as tf data=tf.rawops.SparseFillEmptyRows indices=0,0,0,0,0,0, values='sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss', denseshape=5,3, defaultvalue='o' This occurs...

PYSEC-2021-809

TensorFlow is an open source platform for machine learning. In affeced versions during execution, EinsumHelper::ParseEquation is supposed to set the flags in inputhasellipsis vector and outputhasellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However...

GHSA-9C8H-VVRJ-W2P8 Heap OOB in `RaggedGather`

Impact If the arguments to tf.rawops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. python import tensorflow as tf tf.rawops.RaggedGather paramsnestedsplits = 0,0,0, paramsdensevalues = 1,1, indices = 0,0,9,0,0,...

GHSA-H6JH-7GV5-28VG Bad alloc in `StringNGrams` caused by integer conversion

Impact The implementation of tf.rawops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. python import tensorflow as tf tf.rawops.StringNGrams data='','', datasplits=0,2, separator...

Reference binding to nullptr and heap OOB in binary cwise ops

Impact An attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don't require broadcasting e.g., gradients of binary cwise operations: python import tensorflow as tf tf.rawops.SqrtGrady=4, 16,dy= The implementation assumes that the two...

GHSA-VMJW-C2VP-P33C Crash in NMS ops caused by integer conversion to unsigned

Impact An attacker can cause denial of service in applications serving models using tf.rawops.NonMaxSuppressionV5 by triggering a division by 0: python import tensorflow as tf tf.rawops.NonMaxSuppressionV5 boxes=0.1,0.1,0.1,0.1,0.2,0.2,0.2,0.2,0.3,0.3,0.3,0.3, scores=1.0,2.0,3.0, maxoutputsize=-1...

GHSA-RHRQ-64MQ-HF9H FPE in TFLite division operations

Impact The implementation of division in TFLite is vulnerable to a division by 0 error There is no check that the divisor tensor does not contain zero elements. Patches We have patched the issue in GitHub commit 1e206baedf8bef0334cca3eb92bab134ef525a28. The fix will be included in TensorFlow 2.6....

PYSEC-2021-785

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation. The implementation misses some validation for the originput and origoutput tensor...

PYSEC-2021-304

TensorFlow is an end-to-end open source platform for machine learning. In affected versions all TFLite operations that use quantization can be made to use unitialized values. For example. The issue stems from the fact that quantization.params is only valid if quantization.type is different that...

PYSEC-2021-596

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of division in TFLite is vulnerable to a division by 0 error. There is no check that the divisor tensor does not contain zero elements. We have patched the issue in GitHub commit...