Moderate severityNVD Advisory· Published Nov 5, 2021· Updated Aug 4, 2024

Overflow/crash in `tf.range`

CVE-2021-41202

Description

TensorFlow is an open source platform for machine learning. In affected versions while calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	>= 2.6.0, < 2.6.1	2.6.1
tensorflowPyPI	>= 2.5.0, < 2.5.2	2.5.2
tensorflowPyPI	< 2.4.4	2.4.4
tensorflow-cpuPyPI	>= 2.6.0, < 2.6.1	2.6.1
tensorflow-cpuPyPI	>= 2.5.0, < 2.5.2	2.5.2
tensorflow-cpuPyPI	< 2.4.4	2.4.4
tensorflow-gpuPyPI	>= 2.6.0, < 2.6.1	2.6.1
tensorflow-gpuPyPI	>= 2.5.0, < 2.5.2	2.5.2
tensorflow-gpuPyPI	< 2.4.4	2.4.4

Affected products

Tensorflow/Tensorflowv5
Range: >= 2.6.0, < 2.6.1

Patches

1b0e0ec27e78

Merge pull request #51711 from yongtang:46899-tf.range

https://github.com/tensorflow/tensorflowTensorFlower GardenerAug 30, 2021via ghsa

commit

2 files changed · +10 −2

tensorflow/core/kernels/sequence_ops.cc+3 −2 modified

@@ -78,9 +78,10 @@ class RangeOp : public OpKernel {
     } else {
       size = static_cast<int64>(std::ceil(std::abs((limit - start) / delta)));
     }
+    TensorShape shape;
+    OP_REQUIRES_OK(context, shape.AddDimWithStatus(size));
     Tensor* out = nullptr;
-    OP_REQUIRES_OK(context,
-                   context->allocate_output(0, TensorShape({size}), &out));
+    OP_REQUIRES_OK(context, context->allocate_output(0, shape, &out));
     auto flat = out->flat<T>();
     T val = start;
     for (int64_t i = 0; i < size; ++i) {

tensorflow/python/kernel_tests/init_ops_test.py+7 −0 modified

@@ -550,6 +550,13 @@ def testLargeLimits(self):
         v = math_ops.range(0, 9223372036854775807)
         self.evaluate(v)
 
+  def testLargeStarts(self):
+    # Test case for GitHub issue 46899.
+    with self.session():
+      with self.assertRaises(errors_impl.InternalError):
+        v = math_ops.range(start=-1e+38, limit=1)
+        self.evaluate(v)
+
 
 # TODO(vrv): move to sequence_ops_test?
 class LinSpaceTest(test.TestCase):

6d94002a0971

Merge pull request #51359 from yongtang:46913-range-overflow

https://github.com/tensorflow/tensorflowTensorFlower GardenerAug 18, 2021via ghsa

commit

2 files changed · +15 −4

tensorflow/core/kernels/sequence_ops.cc+7 −4 modified

@@ -71,10 +71,13 @@ class RangeOp : public OpKernel {
           errors::InvalidArgument(
               "Requires start >= limit when delta < 0: ", start, "/", limit));
     }
-    int64_t size = (std::is_integral<T>::value
-                        ? ((std::abs(limit - start) + std::abs(delta) - 1) /
-                           std::abs(delta))
-                        : std::ceil(std::abs((limit - start) / delta)));
+    int64_t size = 0;
+    if (std::is_integral<T>::value) {
+      size = static_cast<int64>(
+          (std::abs(limit - start) + std::abs(delta) - 1) / std::abs(delta));
+    } else {
+      size = static_cast<int64>(std::ceil(std::abs((limit - start) / delta)));
+    }
     Tensor* out = nullptr;
     OP_REQUIRES_OK(context,
                    context->allocate_output(0, TensorShape({size}), &out));

tensorflow/python/kernel_tests/init_ops_test.py+8 −0 modified

@@ -23,6 +23,7 @@
 
 from tensorflow.python.framework import constant_op
 from tensorflow.python.framework import dtypes
+from tensorflow.python.framework import errors_impl
 from tensorflow.python.framework import ops
 from tensorflow.python.framework import random_seed
 from tensorflow.python.framework import test_util
@@ -542,6 +543,13 @@ def testMixedDType(self):
         constant_op.constant(4, dtype=dtypes.int32), dtype=dtypes.int64)
     self.assertAllEqual(self.evaluate(tf_ans), np.array([0, 1, 2, 3]))
 
+  def testLargeLimits(self):
+    # Test case for GitHub issue 46913.
+    with self.session():
+      with self.assertRaises(errors_impl.ResourceExhaustedError):
+        v = math_ops.range(0, 9223372036854775807)
+        self.evaluate(v)
+
 
 # TODO(vrv): move to sequence_ops_test?
 class LinSpaceTest(test.TestCase):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xrqm-fpgr-6hhxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-41202ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-612.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-810.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-395.yamlghsaWEB
github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/issues/46889ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/issues/46912ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhxghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000