Moderate severityNVD Advisory· Published Aug 12, 2021· Updated Aug 4, 2024

Crash in NMS ops caused by integer conversion to unsigned in TensorFlow

CVE-2021-37669

Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause denial of service in applications serving models using tf.raw_ops.NonMaxSuppressionV5 by triggering a division by 0. The implementation uses a user controlled argument to resize a std::vector. However, as std::vector::resize takes the size argument as a size_t and output_size is an int, there is an implicit conversion to unsigned. If the attacker supplies a negative value, this conversion results in a crash. A similar issue occurs in CombinedNonMaxSuppression. We have patched the issue in GitHub commit 3a7362750d5c372420aa8f0caf7bf5b5c3d0f52d and commit [b5cdbf12ffcaaffecf98f22a6be5a64bb96e4f58. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.3.4	2.3.4
tensorflowPyPI	>= 2.4.0, < 2.4.3	2.4.3
tensorflowPyPI	>= 2.5.0, < 2.5.1	2.5.1
tensorflow-cpuPyPI	< 2.3.4	2.3.4
tensorflow-cpuPyPI	>= 2.4.0, < 2.4.3	2.4.3
tensorflow-cpuPyPI	>= 2.5.0, < 2.5.1	2.5.1
tensorflow-gpuPyPI	< 2.3.4	2.3.4
tensorflow-gpuPyPI	>= 2.4.0, < 2.4.3	2.4.3
tensorflow-gpuPyPI	>= 2.5.0, < 2.5.1	2.5.1

Affected products

Tensorflow/Tensorflowv5
Range: >= 2.5.0, < 2.5.1

Patches

3a7362750d5c

Prevent crash/heap OOB due to integer conversion to unsigned in NMS kernels

https://github.com/tensorflow/tensorflowMihai MaruseacJul 31, 2021via ghsa

commit

1 file changed · +8 −0

tensorflow/core/kernels/image/non_max_suppression_op.cc+8 −0 modified

@@ -169,6 +169,8 @@ void DoNonMaxSuppressionOp(OpKernelContext* context, const Tensor& scores,
                            bool pad_to_max_output_size = false,
                            int* ptr_num_valid_outputs = nullptr) {
   const int output_size = max_output_size.scalar<int>()();
+  OP_REQUIRES(context, output_size >= 0,
+              errors::InvalidArgument("output size must be non-negative"));
 
   std::vector<T> scores_data(num_boxes);
   std::copy_n(scores.flat<T>().data(), num_boxes, scores_data.begin());
@@ -768,6 +770,9 @@ class NonMaxSuppressionV4Op : public OpKernel {
         context, scores, num_boxes, max_output_size, iou_threshold_val,
         score_threshold_val, dummy_soft_nms_sigma, similarity_fn,
         return_scores_tensor_, pad_to_max_output_size_, &num_valid_outputs);
+    if (!context->status().ok()) {
+      return;
+    }
 
     // Allocate scalar output tensor for number of indices computed.
     Tensor* num_outputs_t = nullptr;
@@ -845,6 +850,9 @@ class NonMaxSuppressionV5Op : public OpKernel {
         context, scores, num_boxes, max_output_size, iou_threshold_val,
         score_threshold_val, soft_nms_sigma_val, similarity_fn,
         return_scores_tensor_, pad_to_max_output_size_, &num_valid_outputs);
+    if (!context->status().ok()) {
+      return;
+    }
 
     // Allocate scalar output tensor for number of indices computed.
     Tensor* num_outputs_t = nullptr;

b5cdbf12ffca

Prevent overflow due to integer conversion to unsigned.

https://github.com/tensorflow/tensorflowMihai MaruseacJul 30, 2021via ghsa

commit

1 file changed · +2 −0

tensorflow/core/kernels/image/non_max_suppression_op.cc+2 −0 modified

@@ -930,6 +930,8 @@ class CombinedNonMaxSuppressionOp : public OpKernel {
         errors::InvalidArgument("max_size_per_class must be 0-D, got shape ",
                                 max_output_size.shape().DebugString()));
     const int max_size_per_class = max_output_size.scalar<int>()();
+    OP_REQUIRES(context, max_size_per_class > 0,
+                errors::InvalidArgument("max_size_per_class must be positive"));
     // max_total_size: scalar
     const Tensor& max_total_size = context->input(3);
     OP_REQUIRES(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vmjw-c2vp-p33cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-37669ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-582.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-780.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-291.yamlghsaWEB
github.com/tensorflow/tensorflow/commit/3a7362750d5c372420aa8f0caf7bf5b5c3d0f52dghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/commit/b5cdbf12ffcaaffecf98f22a6be5a64bb96e4f58ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-vmjw-c2vp-p33cghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000