High severityNVD Advisory· Published May 4, 2020· Updated Aug 5, 2024

CVE-2018-21233

Description

Integer overflow in TensorFlow's DecodeBmp operation prior to version 1.7.0 leads to out-of-bounds read, potentially exposing process memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in TensorFlow's DecodeBmp operation prior to version 1.7.0 leads to out-of-bounds read, potentially exposing process memory.

Vulnerability

Overview

CVE-2018-21233 is an integer overflow vulnerability in the BMP decoder of TensorFlow, specifically in the DecodeBmp operation within core/kernels/decode_bmp_op.cc [1]. The flaw occurs due to insufficient validation of image dimensions during BMP file processing. When a crafted BMP image with large width and height values is provided, calculations such as row_size and last_pixel_offset can overflow, resulting in an incorrect file size estimate [1][2]. This causes the decoder to read beyond the allocated buffer, leading to an out-of-bounds read [2].

Exploitation

An attacker can trigger this vulnerability by supplying a malicious BMP image to a TensorFlow application using the DecodeBmp operation. The attack requires no authentication or special privileges, and it can be executed remotely if the application accepts user-provided images [2]. The vulnerable code path does not properly check for integer overflow when computing expected file size, allowing the attacker to craft inputs that bypass the existing size checks [4]. The specific commit that fixes the issue introduces explicit checks to ensure that width is positive, header_size is non-negative, and the total pixel bytes are within safe bounds [4].

Impact

Successful exploitation allows an attacker to read out-of-bounds memory from the TensorFlow process. This can lead to the disclosure of sensitive process memory contents, potentially revealing confidential data such as other users' information or internal system details [2]. The vulnerability is rated with a CVSS v3 base score of 7.5 (High) due to the high confidentiality impact and the lack of required privileges or user interaction [2].

Mitigation

The vulnerability was fixed in TensorFlow version 1.7.0, which was released in March 2018 [1][2]. Users are strongly advised to upgrade to TensorFlow 1.7.0 or later. The fix is also present in all subsequent releases, including the current version. There are no known workarounds for earlier versions, and upgrading is the only reliable mitigation. The CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 1.7.0	1.7.0
tensorflow-gpuPyPI	< 1.7.0	1.7.0

Affected products

TensorFlow/TensorFlowdescription
ghsa-coords2 versions
pkg:pypi/tensorflow pkg:pypi/tensorflow-gpu
< 1.7.0+ 1 more
- (no CPE)range: < 1.7.0
- (no CPE)range: < 1.7.0

Patches

49f73c55d56e

Fix integer overflow in BMP decoder by making the checks in DecodeBmp

https://github.com/tensorflow/tensorflowDavid G. AndersenFeb 15, 2018via ghsa

commit

3 files changed · +53 −5

tensorflow/core/kernels/decode_bmp_op.cc+22 −5 modified

@@ -91,15 +91,32 @@ class DecodeBmpOp : public OpKernel {
                 errors::InvalidArgument(
                     "Number of channels must be 1, 3 or 4, was ", channels_));
 
+    OP_REQUIRES(context, width > 0 && header_size >= 0,
+                errors::InvalidArgument("Width must be positive"));
+    OP_REQUIRES(context, header_size >= 0,
+                errors::InvalidArgument("header size must be nonnegative"));
+
+    // The real requirement is < 2^31 minus some headers and channel data,
+    // so rounding down to something that's still ridiculously big.
+    OP_REQUIRES(
+        context,
+        (static_cast<int64>(width) * std::abs(static_cast<int64>(height))) <
+            static_cast<int64>(std::numeric_limits<int32_t>::max() / 8),
+        errors::InvalidArgument(
+            "Total possible pixel bytes must be less than 2^30"));
+
+    const int32 abs_height = abs(height);
+
     // there may be padding bytes when the width is not a multiple of 4 bytes
     // 8 * channels == bits per pixel
     const int row_size = (8 * channels_ * width + 31) / 32 * 4;
 
-    const int last_pixel_offset =
-        header_size + (abs(height) - 1) * row_size + (width - 1) * channels_;
+    const int64 last_pixel_offset = static_cast<int64>(header_size) +
+                                    (abs_height - 1) * row_size +
+                                    (width - 1) * channels_;
 
     // [expected file size] = [last pixel offset] + [last pixel size=channels]
-    const int expected_file_size = last_pixel_offset + channels_;
+    const int64 expected_file_size = last_pixel_offset + channels_;
 
     OP_REQUIRES(
         context, (expected_file_size <= input.size()),
@@ -115,12 +132,12 @@ class DecodeBmpOp : public OpKernel {
     Tensor* output = nullptr;
     OP_REQUIRES_OK(
         context, context->allocate_output(
-                     0, TensorShape({abs(height), width, channels_}), &output));
+                     0, TensorShape({abs_height, width, channels_}), &output));
 
     const uint8* bmp_pixels = &img_bytes[header_size];
 
     Decode(bmp_pixels, row_size, output->flat<uint8>().data(), width,
-           abs(height), channels_, top_down);
+           abs_height, channels_, top_down);
   }
 
   uint8* Decode(const uint8* input, const int row_size, uint8* const output,

tensorflow/core/kernels/fuzzing/BUILD+2 −0 modified

@@ -43,6 +43,8 @@ tf_ops_fuzz_target_lib("decode_base64")
 
 tf_ops_fuzz_target_lib("encode_jpeg")
 
+tf_ops_fuzz_target_lib("decode_bmp")
+
 tf_ops_fuzz_target_lib("decode_png")
 
 tf_ops_fuzz_target_lib("decode_jpeg")

tensorflow/core/kernels/fuzzing/decode_bmp_fuzz.cc+29 −0 added

@@ -0,0 +1,29 @@
+/* Copyright 2018 Google Inc. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+==============================================================================*/
+
+#include "tensorflow/cc/ops/standard_ops.h"
+#include "tensorflow/core/kernels/fuzzing/fuzz_session.h"
+
+namespace tensorflow {
+namespace fuzzing {
+
+class FuzzDecodeBmp : public FuzzStringInputOp {
+  SINGLE_INPUT_OP_BUILDER(DT_STRING, DecodeBmp);
+};
+
+STANDARD_TF_FUZZ_FUNCTION(FuzzDecodeBmp);
+
+}  // end namespace fuzzing
+}  // end namespace tensorflow

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h98h-8mxr-m8gxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-21233ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-269.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-304.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-253.yamlghsaWEB
github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-001.mdghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/commit/49f73c55d56edffebde4bca4a407ad69c1cae433ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000