Moderate severityNVD Advisory· Published Feb 3, 2022· Updated May 5, 2025

Memory exhaustion in Tensorflow

CVE-2022-21733

Description

TensorFlow's StringNGrams op lacks input validation, enabling integer overflow that leads to out-of-memory denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TensorFlow's StringNGrams op lacks input validation, enabling integer overflow that leads to out-of-memory denial of service.

Vulnerability

The StringNGrams operation in TensorFlow (versions prior to 2.8.0, 2.7.1, 2.6.3, and 2.5.3) does not validate the pad_width parameter. When preserve_short_sequences is true and ngram_widths are not provided, a negative pad_width causes integer overflow in the computation of ngram_width = data_length + 2 * pad_width_, resulting in a negative value that is later used for memory allocation [1][3]. This code path is reachable when a user supplies a crafted pad_width value, triggering uncontrolled memory consumption.

Exploitation

An attacker can exploit this vulnerability by providing a negative pad_width through the Python API of tf.raw_ops.StringNGrams or via a TensorFlow graph that invokes the operation. No special privileges are required; any user or process that can supply TensorFlow model inputs (e.g., a malformed serialized model or direct API call) can trigger the integer overflow [1][2]. The attacker does not need network access if they can supply inputs locally, but in a model-serving scenario, a remote attacker could send crafted input data.

Impact

Successful exploitation leads to a denial of service (DoS) via an out-of-memory (OOM) condition. The integer overflow causes the ngram_width to be computed as a negative value; when used in memory allocation routines (e.g., Allocator or similar), this can result in an unhandled exception or uncontrolled allocation of vast amounts of memory, crashing the process or exhausting system resources [1][3].

Mitigation

The vulnerability is fixed in TensorFlow 2.8.0, and cherry-picked into versions 2.7.1, 2.6.3, and 2.5.3 [1][3]. Users should upgrade to these patched releases immediately. No workaround is available for unpatched versions. The fix adds a check that pad_width_ >= 0 and returns an InvalidArgument error if the condition is violated [3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.5.3	2.5.3
tensorflowPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflowPyPI	>= 2.7.0, < 2.7.1	2.7.1
tensorflow-cpuPyPI	< 2.5.3	2.5.3
tensorflow-cpuPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflow-cpuPyPI	>= 2.7.0, < 2.7.1	2.7.1
tensorflow-gpuPyPI	< 2.5.3	2.5.3
tensorflow-gpuPyPI	>= 2.6.0, < 2.6.3	2.6.3
tensorflow-gpuPyPI	>= 2.7.0, < 2.7.1	2.7.1

Affected products

Nbsdx/Tensorflowcpe-rescue
osv-coords4 versions
pkg:bitnami/tensorflow pkg:pypi/tensorflow pkg:pypi/tensorflow-cpu pkg:pypi/tensorflow-gpu
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3

Patches

f68fdab93fb7

Add a check for pad width to be a positive value.

https://github.com/tensorflow/tensorflowIsha ArkatkarDec 1, 2021via ghsa

commit

2 files changed · +32 −3

tensorflow/core/kernels/string_ngrams_op.cc+10 −0 modified

@@ -152,6 +152,16 @@ class StringNGramsOp : public tensorflow::OpKernel {
         // We don't have to worry about dynamic padding sizes here: if padding
         // was dynamic, every sequence would have had sufficient padding to
         // generate at least one ngram.
+
+        // If reached here, pad_width should be > 0, pad_width_ = -1,
+        // which indicates max(ngram_widths) - 1 cannot be used here since
+        // ngram_width is not known.
+        OP_REQUIRES(
+            context, pad_width_ >= 0,
+            errors::InvalidArgument("Pad width should be >= 0 when "
+                                    "preserve_short_sequences is True and "
+                                    "ngram_widths are not provided, got ",
+                                    pad_width_));
         int ngram_width = data_length + 2 * pad_width_;
         auto output_start = &ngrams_data[output_start_idx];
         int num_ngrams = 1;

tensorflow/python/ops/raw_ops_test.py+22 −3 modified

@@ -28,7 +28,6 @@
 
 
 @test_util.run_all_in_graph_and_eager_modes
-@test_util.disable_tfrt
 class RawOpsTest(test.TestCase, parameterized.TestCase):
 
   def testSimple(self):
@@ -63,8 +62,9 @@ def testDefaults(self):
   @parameterized.parameters([[0, 8]], [[-1, 6]])
   def testStringNGramsBadDataSplits(self, splits):
     data = ["aa", "bb", "cc", "dd", "ee", "ff"]
-    with self.assertRaisesRegex(errors.InvalidArgumentError,
-                                "Invalid split value"):
+    with self.assertRaisesRegex(
+        errors.InvalidArgumentError,
+        r"Invalid split value|First split value must be 0"):
       self.evaluate(
           gen_string_ops.string_n_grams(
               data=data,
@@ -76,6 +76,25 @@ def testStringNGramsBadDataSplits(self, splits):
               pad_width=0,
               preserve_short_sequences=False))
 
+  def testStringSplit(self):
+    data = ["123456"]
+    data_splits = [0, 1]
+    separator = "a" * 15
+    ngram_widths = []
+    pad_width = -5
+    left_pad = right_pad = ""
+    with self.assertRaisesRegex(errors.InvalidArgumentError,
+                                "Pad width should be >= 0"):
+      self.evaluate(gen_string_ops.string_n_grams(
+          data=data,
+          data_splits=data_splits,
+          separator=separator,
+          ngram_widths=ngram_widths,
+          left_pad=left_pad,
+          right_pad=right_pad,
+          pad_width=pad_width,
+          preserve_short_sequences=True))
+
   def testGetSessionHandle(self):
     if context.executing_eagerly():
       with self.assertRaisesRegex(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-98j8-c9q4-r38gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21733ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-57.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-112.yamlghsaWEB
github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/string_ngrams_op.ccghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/commit/f68fdab93fb7f4ddb4eb438c8fe052753c9413e8ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-98j8-c9q4-r38gghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000