Out of bounds read in Tensorflow
Description
TensorFlow's ReverseSequence shape inference lacks validation for negative batch_dim, leading to a heap out-of-bounds read.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TensorFlow's `ReverseSequence` shape inference lacks validation for negative `batch_dim`, leading to a heap out-of-bounds read.
Vulnerability
The implementation of shape inference for ReverseSequence in TensorFlow does not fully validate the value of batch_dim [1]. While there is a check to ensure batch_dim does not exceed the rank of the input, there is no check for negative values. Negative dimensions are allowed in some cases to mimic Python's negative indexing, but if the value is too negative, the implementation of Dim accesses elements before the start of an array, resulting in a heap out-of-bounds (OOB) read. Affected versions include TensorFlow 2.7.0 and earlier, 2.6.0-2.6.2, 2.5.0-2.5.2, and the TensorFlow 2.8.0 release candidate [1].
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted input to ReverseSequence with a batch_dim value that is negative enough to cause an OOB read [1]. The attack requires no authentication or user interaction beyond submitting the malicious input to TensorFlow's model inference or training pipeline. The vulnerable code path is reachable through standard TensorFlow operations.
Impact
Successful exploitation allows an attacker to perform a heap OOB read, which can disclose sensitive memory contents [1]. The impact is limited to information disclosure; it may expose private data processed by the model or other memory-resident information. The vulnerability does not directly enable arbitrary code execution or privilege escalation.
Mitigation
The fix is included in TensorFlow 2.8.0 and has been cherry-picked to TensorFlow 2.7.1, 2.6.3, and 2.5.3 [1]. Users should upgrade to the latest patched version appropriate for their deployment. There are no known workarounds; the vulnerability is addressed solely by applying the official patch. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
5- osv-coords4 versions
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
Patches
137c01fb5e25cFix out of bound error in ReverseSequence Op shape function
1 file changed · +10 −0
tensorflow/core/ops/array_ops.cc+10 −0 modified@@ -1653,11 +1653,21 @@ REGISTER_OP("ReverseSequence") return errors::InvalidArgument( "batch_dim must be < input rank: ", batch_dim, " vs. ", input_rank); } + if (seq_dim >= input_rank) { return errors::InvalidArgument( "seq_dim must be < input rank: ", seq_dim, " vs. ", input_rank); } + // To prevent out of bound access when calling c->Dim(input, batch_dim), + // batch_dim range [-1 * input rank, input rank) is allowed. However, + // the op implementation has a stricter bound for batch_dim requiring >= 0 + // value. Thus, perform strict check here. + if (batch_dim < 0) { + return errors::InvalidArgument("batch_dim must be >=0, got ", + batch_dim); + } + DimensionHandle batch_dim_dim = c->Dim(input, batch_dim); TF_RETURN_IF_ERROR( c->Merge(batch_dim_dim, c->Dim(seq_lens_shape, 0), &batch_dim_dim));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-6gmv-pjp9-p8w8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21728ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-52.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-107.yamlghsaWEB
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.hghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/ops/array_ops.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/37c01fb5e25c3d80213060460196406c43d31995ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-6gmv-pjp9-p8w8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.