Low severityNVD Advisory· Published May 14, 2021· Updated Aug 3, 2024

Heap out of bounds read in `RaggedCross`

CVE-2021-29532

Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to tf.raw_ops.RaggedCross. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a *_list[next_*] pattern, followed by incrementing the next_* index. However, as there is no validation that the next_* values are in the valid range for the corresponding *_list arrays, this results in heap OOB reads. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.1.4	2.1.4
tensorflowPyPI	>= 2.2.0, < 2.2.3	2.2.3
tensorflowPyPI	>= 2.3.0, < 2.3.3	2.3.3
tensorflowPyPI	>= 2.4.0, < 2.4.2	2.4.2
tensorflow-cpuPyPI	< 2.1.4	2.1.4
tensorflow-cpuPyPI	>= 2.2.0, < 2.2.3	2.2.3
tensorflow-cpuPyPI	>= 2.3.0, < 2.3.3	2.3.3
tensorflow-cpuPyPI	>= 2.4.0, < 2.4.2	2.4.2
tensorflow-gpuPyPI	< 2.1.4	2.1.4
tensorflow-gpuPyPI	>= 2.2.0, < 2.2.3	2.2.3
tensorflow-gpuPyPI	>= 2.3.0, < 2.3.3	2.3.3
tensorflow-gpuPyPI	>= 2.4.0, < 2.4.2	2.4.2

Affected products

Tensorflow/Tensorflowv5
Range: < 2.1.4

Patches

44b7f486c014

Fix out of bounds read in `ragged_cross_op.cc`.

https://github.com/tensorflow/tensorflowMihai MaruseacApr 21, 2021via ghsa

commit

1 file changed · +30 −0

tensorflow/core/kernels/ragged_cross_op.cc+30 −0 modified

@@ -21,6 +21,7 @@ limitations under the License.
 #include "tensorflow/core/framework/register_types.h"
 #include "tensorflow/core/framework/tensor.h"
 #include "tensorflow/core/framework/tensor_shape.h"
+#include "tensorflow/core/platform/errors.h"
 #include "tensorflow/core/platform/fingerprint.h"
 #include "tensorflow/core/util/util.h"
 #include "tensorflow/core/util/work_sharder.h"
@@ -466,16 +467,45 @@ class RaggedCrossOp : public OpKernel {
     int next_dense = 0;
     for (char c : input_order_) {
       if (c == 'R') {
+        if (next_ragged >= ragged_values_list.size())
+          return errors::InvalidArgument(
+              "input_order \"", input_order_,
+              "\" specifies reading a ragged tensor value at index ",
+              next_ragged, " from a list of ", ragged_values_list.size(),
+              " values.");
+        if (next_ragged >= ragged_splits_list.size())
+          return errors::InvalidArgument(
+              "input_order \"", input_order_,
+              "\" specifies reading a ragged tensor split at index ",
+              next_ragged, " from a list of ", ragged_splits_list.size(),
+              " splits.");
         TF_RETURN_IF_ERROR(BuildRaggedFeatureReader(
             ragged_values_list[next_ragged], ragged_splits_list[next_ragged],
             features));
         next_ragged++;
       } else if (c == 'S') {
+        if (next_sparse >= sparse_values_list.size())
+          return errors::InvalidArgument(
+              "input_order \"", input_order_,
+              "\" specifies reading a sparse tensor value at index ",
+              next_sparse, " from a list of ", sparse_values_list.size(),
+              " values.");
+        if (next_sparse >= sparse_indices_list.size())
+          return errors::InvalidArgument(
+              "input_order \"", input_order_,
+              "\" specifies reading a sparse tensor index at index ",
+              next_sparse, " from a list of ", sparse_indices_list.size(),
+              " indices.");
         TF_RETURN_IF_ERROR(BuildSparseFeatureReader(
             sparse_indices_list[next_sparse], sparse_values_list[next_sparse],
             batch_size, features));
         next_sparse++;
       } else if (c == 'D') {
+        if (next_dense >= dense_list.size())
+          return errors::InvalidArgument(
+              "input_order \"", input_order_,
+              "\" specifies reading a dense tensor at index ", next_dense,
+              " from a list of ", dense_list.size(), " tensors.");
         TF_RETURN_IF_ERROR(
             BuildDenseFeatureReader(dense_list[next_dense++], features));
       } else {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j47f-4232-hvv8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-29532ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-460.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-658.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-169.yamlghsaWEB
github.com/tensorflow/tensorflow/commit/44b7f486c0143f68b56c34e2d01e146ee445134aghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-j47f-4232-hvv8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000