High severityNVD Advisory· Published Feb 3, 2022· Updated May 5, 2025

Out of bounds read in Tensorflow

CVE-2022-21730

Description

TensorFlow's FractionalAvgPoolGrad operation lacks input validation, enabling heap out-of-bounds read.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TensorFlow's FractionalAvgPoolGrad operation lacks input validation, enabling heap out-of-bounds read.

Vulnerability

The implementation of FractionalAvgPoolGrad in TensorFlow does not validate that the input tensors (orig_input_tensor_shape and out_backprop) are valid, allowing an attacker to cause an out-of-bounds heap read. Affected versions include TensorFlow 2.7.0, 2.6.0-2.6.2, 2.5.0-2.5.2, and earlier. The fix is included in TensorFlow 2.8.0, and will be backported to 2.7.1, 2.6.3, and 2.5.3 [1][3].

Exploitation

An attacker must be able to supply crafted input tensors to the FractionalAvgPoolGrad operation. No special privileges are required beyond the ability to invoke TensorFlow operations. The attacker exploits the lack of validation by providing invalid tensor shapes or values, which leads to memory access beyond the allocated heap buffer [1].

Impact

Successful exploitation results in reading from outside the bounds of heap memory, which can lead to information disclosure. The attacker may obtain sensitive data that resides adjacent to the allocated buffer. The integrity and availability of the system are not directly compromised, but the confidentiality of the model or data processed by TensorFlow may be impacted [1][4].

Mitigation

Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 once released. If immediate upgrade is not possible, ensure that untrusted inputs are not processed by the FractionalAvgPoolGrad operation. There is no known workaround other than patching. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog [1][2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.5.3	2.5.3
tensorflowPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflowPyPI	>= 2.7.0, < 2.7.1	2.7.1
tensorflow-cpuPyPI	< 2.5.3	2.5.3
tensorflow-cpuPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflow-cpuPyPI	>= 2.7.0, < 2.7.1	2.7.1
tensorflow-gpuPyPI	< 2.5.3	2.5.3
tensorflow-gpuPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflow-gpuPyPI	>= 2.7.0, < 2.7.1	2.7.1

Affected products

Nbsdx/Tensorflowcpe-rescue
osv-coords4 versions
pkg:bitnami/tensorflow pkg:pypi/tensorflow pkg:pypi/tensorflow-cpu pkg:pypi/tensorflow-gpu
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3

Patches

002408c3696b

Add negative bound check for row and column pooling_sequence in FractionalAvgPoolGrad op to avoid out of bound heap access

https://github.com/tensorflow/tensorflowIsha ArkatkarDec 3, 2021via ghsa

commit

2 files changed · +38 −0

tensorflow/core/kernels/fractional_avg_pool_op.cc+11 −0 modified

@@ -311,15 +311,26 @@ class FractionalAvgPoolGradOp : public OpKernel {
     for (int64_t b = 0; b < out_batch; ++b) {
       for (int64_t r = 0; r < out_rows; ++r) {
         const int64_t in_row_start = row_seq_tensor_flat(r);
+
         int64_t in_row_end = overlapping_ ? row_seq_tensor_flat(r + 1)
                                           : row_seq_tensor_flat(r + 1) - 1;
         in_row_end = std::min(in_row_end, in_max_row_index);
+        OP_REQUIRES(context, in_row_start >= 0 && in_row_end >= 0,
+                    errors::InvalidArgument(
+                        "Row sequence tensor values must not be negative, got ",
+                        row_seq_tensor_flat));
+
         for (int64_t c = 0; c < out_cols; ++c) {
           const int64_t in_col_start = col_seq_tensor_flat(c);
           int64_t in_col_end = overlapping_ ? col_seq_tensor_flat(c + 1)
                                             : col_seq_tensor_flat(c + 1) - 1;
           in_col_end = std::min(in_col_end, in_max_col_index);
 
+          OP_REQUIRES(
+              context, in_col_start >= 0 && in_col_end >= 0,
+              errors::InvalidArgument(
+                  "Column sequence tensor values must not be negative, got ",
+                  col_seq_tensor_flat));
           const int64_t num_elements_in_pooling_cell =
               (in_row_end - in_row_start + 1) * (in_col_end - in_col_start + 1);
           const int64_t out_index = (b * out_rows + r) * out_cols + c;

tensorflow/python/kernel_tests/nn_ops/fractional_avg_pool_op_test.py+27 −0 modified

@@ -20,6 +20,7 @@
 
 from tensorflow.python.framework import constant_op
 from tensorflow.python.framework import dtypes
+from tensorflow.python.framework import errors
 from tensorflow.python.framework import test_util
 from tensorflow.python.ops import array_ops
 from tensorflow.python.ops import gen_nn_ops
@@ -306,6 +307,32 @@ def testDifferentInputTensorShape(self):
           input_b, row_seq, col_seq, overlapping)
       self.assertSequenceEqual(expected.shape, actual.shape)
 
+  def testNegativeSeqValuesForGradOp(self):
+    with self.assertRaisesRegex(
+        errors.InvalidArgumentError,
+        r"Row sequence tensor values must not be negative.*"):
+      y = nn_ops.gen_nn_ops.fractional_avg_pool_grad(
+          orig_input_tensor_shape=[2, 2, 2, 2],
+          out_backprop=[[[[1, 2], [3, 4], [5, 6]], [[7, 8], [9, 10], [11,
+                                                                      12]]]],
+          row_pooling_sequence=[-10, 1, 2, 3],
+          col_pooling_sequence=[1, 2, 3, 4],
+          overlapping=True)
+
+      self.evaluate(y)
+      with self.assertRaisesRegex(
+          errors.InvalidArgumentError,
+          r"Column sequence tensor values must not be negative.*"):
+        z = nn_ops.gen_nn_ops.fractional_avg_pool_grad(
+            orig_input_tensor_shape=[2, 2, 2, 2],
+            out_backprop=[[[[1, 2], [3, 4], [5, 6]], [[7, 8], [9, 10], [11,
+                                                                        12]]]],
+            row_pooling_sequence=[10, 1, 2, 3],
+            col_pooling_sequence=[1, 2, -3, 4],
+            overlapping=True)
+
+        self.evaluate(z)
+
 
 class FractionalAvgPoolGradTest(test.TestCase):
   """Tests for FractionalAvgPoolGrad.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vjg4-v33c-ggc4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21730ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-54.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-109.yamlghsaWEB
github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/fractional_avg_pool_op.ccghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/commit/002408c3696b173863228223d535f9de72a101a9ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-vjg4-v33c-ggc4ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000