Out of bounds read in Tensorflow
Description
TensorFlow's Dequantize op lacks upper-bound validation on the axis parameter, leading to heap out-of-bounds reads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TensorFlow's `Dequantize` op lacks upper-bound validation on the `axis` parameter, leading to heap out-of-bounds reads.
Vulnerability
The implementation of Dequantize in TensorFlow does not fully validate the value of the axis argument [1]. The axis parameter can be -1 (the default) or any positive value up to the number of dimensions of the input tensor. However, the upper bound is not checked, allowing an attacker to supply an axis value that exceeds the number of dimensions [1]. This results in a heap out-of-bounds (OOB) read when the code attempts to access the array that stores the dimension sizes of the input tensor [1]. The vulnerable code is in tensorflow/core/kernels/dequantize_op.cc (lines 92-153) [4]. Affected versions include TensorFlow 2.7.0 and earlier, 2.6.0-2.6.2, and 2.5.0-2.5.2 [1].
Exploitation
An attacker can exploit this vulnerability by providing a crafted TensorFlow model or input data that triggers the Dequantize operation with an out-of-range axis value [1]. No authentication or special privileges are required if the attacker is able to load a malicious model or control the input to a model using the vulnerable operation. The attacker must have the ability to supply the axis argument value; in many TensorFlow use cases, this can be achieved by manipulating the model graph or providing malicious input tensors. The lack of bounds checking means that simply setting axis to a value larger than the input tensor's number of dimensions will cause the OOB read.
Impact
Successful exploitation leads to a heap out-of-bounds read, potentially disclosing sensitive memory contents [1]. The confidentiality impact is considered HIGH, as the attacker may be able to read heap memory beyond the intended array of dimension sizes. Integrity and availability are not directly affected by this OOB read, but the information leak could enable further attacks. According to the NVD assessment, the vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) [1].
Mitigation
The fix for this vulnerability is included in TensorFlow 2.8.0 [1]. The TensorFlow team has cherry-picked the commit to versions 2.7.1, 2.6.3, and 2.5.3 [1]. Users should upgrade to one of these patched versions immediately. If upgrading is not possible, users should ensure that any untrusted models or data are not processed with affected TensorFlow versions, and review the use of the Dequantize operation to avoid supplying untrusted axis values. There is no known workaround that can be applied without patching. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
5- osv-coords4 versions
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
Patches
123968a8bf65bFix out of bound access in DequantizeOp by adding check for axis < input dimension
1 file changed · +5 −0
tensorflow/core/kernels/dequantize_op.cc+5 −0 modified@@ -94,6 +94,11 @@ class DequantizeOp : public OpKernel { const Tensor& input_min_tensor = ctx->input(1); const Tensor& input_max_tensor = ctx->input(2); + OP_REQUIRES( + ctx, axis_ < input.dims(), + errors::InvalidArgument("Axis must be less than input dimension(", + input.dims(), "), got ", axis_)); + int num_slices = 1; if (axis_ > -1) { num_slices = input.dim_size(axis_);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-23hm-7w47-xw72ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21726ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-50.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-105.yamlghsaWEB
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.