High severityNVD Advisory· Published Feb 3, 2022· Updated May 5, 2025

Integer overflow in Tensorflow

CVE-2022-21727

Description

TensorFlow's Dequantize shape inference has an integer overflow in the axis parameter check, allowing denial of service via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TensorFlow's `Dequantize` shape inference has an integer overflow in the `axis` parameter check, allowing denial of service via crafted input.

Vulnerability

The implementation of shape inference for the Dequantize op in TensorFlow is vulnerable to an integer overflow weakness [1][4]. The axis argument, which is optional and defaults to -1, can also be any positive value up to the number of dimensions of the input. However, the upper bound is not properly validated before the code computes axis + 1. An attacker can provide an extremely large positive value for axis, such as near kint32max, triggering an integer overflow when the sum is computed [4]. This affects TensorFlow versions 2.5.2 and earlier, 2.6.0 to 2.6.2, and 2.7.0 [1]. The fix is included in TensorFlow 2.8.0, and backported to versions 2.7.1, 2.6.3, and 2.5.3 [1][4].

Exploitation

An attacker can exploit this vulnerability by providing a crafted TensorFlow model or directly calling the Dequantize op with an axis value that is set to a very large integer, e.g., kint32max [4]. No authentication is required if the victim loads an untrusted model or if the attacker has the ability to invoke TensorFlow operations in a session. The exploit does not require user interaction beyond the model loading or op invocation. The integer overflow occurs during shape inference, which is typically executed eagerly or during graph construction.

Impact

Successful exploitation results in undefined behavior due to the integer overflow, which can lead to memory corruption or a crash [1]. This constitutes a denial of service (DoS) vulnerability, potentially causing TensorFlow to crash or produce incorrect results. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability, though the NVD enrichment has not yet provided a full assessment [1]. The attacker can achieve arbitrary impact within the TensorFlow process, but the vulnerability is primarily a DoS risk based on available references.

Mitigation

The vulnerability is fixed in TensorFlow 2.8.0, released on 2022-02-03 [1]. Backports are available in TensorFlow 2.7.1, 2.6.3, and 2.5.3 [1][4]. Users should upgrade to these patched versions immediately. No workarounds have been published, but users can avoid loading untrusted models or sanitize the axis parameter to be within valid bounds (less than the input rank) as a partial mitigation. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.5.3	2.5.3
tensorflowPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflowPyPI	>= 2.7.0, < 2.7.1	2.7.1
tensorflow-cpuPyPI	< 2.5.3	2.5.3
tensorflow-cpuPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflow-cpuPyPI	>= 2.7.0, < 2.7.1	2.7.1
tensorflow-gpuPyPI	< 2.5.3	2.5.3
tensorflow-gpuPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflow-gpuPyPI	>= 2.7.0, < 2.7.1	2.7.1

Affected products

Nbsdx/Tensorflowcpe-rescue
osv-coords4 versions
pkg:bitnami/tensorflow pkg:pypi/tensorflow pkg:pypi/tensorflow-cpu pkg:pypi/tensorflow-gpu
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3

Patches

b64638ec5cca

Fix Integer overflow error in Dequantize op shape function, by adding a bound check on axis.

https://github.com/tensorflow/tensorflowIsha ArkatkarNov 24, 2021via ghsa

commit

2 files changed · +29 −0

tensorflow/core/ops/array_ops.cc+14 −0 modified

@@ -24,6 +24,7 @@ limitations under the License.
 #include "tensorflow/core/framework/types.h"
 #include "tensorflow/core/framework/types.pb.h"
 #include "tensorflow/core/lib/core/errors.h"
+#include "tensorflow/core/platform/types.h"
 #include "tensorflow/core/util/mirror_pad_mode.h"
 #include "tensorflow/core/util/padding.h"
 #include "tensorflow/core/util/strided_slice_op.h"
@@ -3028,13 +3029,26 @@ REGISTER_OP("Dequantize")
         return errors::InvalidArgument("axis should be at least -1, got ",
                                        axis);
       }
+      auto input_dims = c->Rank(c->input(0));
+      if (axis > input_dims) {
+        return errors::InvalidArgument(
+            "Axis must be less than input dimension(", input_dims, "), got ",
+            axis);
+      }
       const int minmax_rank = (axis == -1) ? 0 : 1;
       TF_RETURN_IF_ERROR(shape_inference::UnchangedShape(c));
       ShapeHandle minmax;
       TF_RETURN_IF_ERROR(c->WithRank(c->input(1), minmax_rank, &minmax));
       TF_RETURN_IF_ERROR(c->WithRank(c->input(2), minmax_rank, &minmax));
       if (axis != -1) {
         ShapeHandle input;
+        if (axis >= kint32max) {
+          // Check int32 max bound for a corner case to prevent integer flow
+          // when input actually has kint32max rank and above bound check is not
+          // triggered.
+          return errors::InvalidArgument(
+              "Axis cannot be >= kint32max value, got ", axis);
+        }
         TF_RETURN_IF_ERROR(c->WithRankAtLeast(c->input(0), axis + 1, &input));
         DimensionHandle depth;
         TF_RETURN_IF_ERROR(

tensorflow/python/kernel_tests/array_ops/array_ops_test.py+15 −0 modified

@@ -1704,6 +1704,21 @@ def f(a):
       output_grad = gradient_checker_v2.compute_gradient(f, [input_tensor])
       self.assertAllClose(output_grad[0], np.zeros([1, 4, 4]))
 
+  def testOutOfBoundAxis(self):
+    input_tensor = constant_op.constant([1., 1.])
+    input_min = [0]
+    input_max = [1]
+    q_input, _, _ = array_ops.quantize(input_tensor, 0, 1, dtypes.qint32)
+    error = (errors.InvalidArgumentError, ValueError)
+    with self.assertRaisesRegex(error,
+                                r".*Axis must be less than input dimension.*"):
+      self.evaluate(
+          gen_array_ops.dequantize(
+              input=q_input,
+              min_range=input_min,
+              max_range=input_max,
+              axis=2**31 - 1))
+
 
 @test_util.run_all_in_graph_and_eager_modes
 class SortedSearchTest(test_util.TensorFlowTestCase):

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c6fh-56w7-fvjwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21727ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-51.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-106.yamlghsaWEB
github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/ops/array_ops.ccghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/commit/b64638ec5ccaa77b7c1eb90958e3d85ce381f91bghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-c6fh-56w7-fvjwghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000