Undefined behavior in Tensorflow
Description
TensorFlow SparseTensorSliceDataset null pointer dereference due to missing input validation, leading to undefined behavior.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TensorFlow SparseTensorSliceDataset null pointer dereference due to missing input validation, leading to undefined behavior.
Vulnerability
The implementation of SparseTensorSliceDataset in TensorFlow has an undefined behavior due to a missing validation of its three input arguments (indices, values, dense_shape) representing a sparse tensor. Under certain conditions, this can cause a dereference of a nullptr value. The affected versions are TensorFlow 2.5.x through 2.7.x. The vulnerability was introduced in the original implementation and exists in the source file tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc [4].
Exploitation
An attacker can exploit this vulnerability by providing a crafted sparse tensor to the SparseTensorSliceDataset operation. The missing validation allows the attacker to create conditions where internal null pointer dereference occurs. No authentication or special privileges are required; the attacker only needs to be able to pass data to a TensorFlow model or operation using the vulnerable dataset. This is typically possible in any TensorFlow model that uses SparseTensorSliceDataset with user-supplied input.
Impact
Successful exploitation leads to undefined behavior, typically a crash (denial of service). The vulnerability is classified as a null pointer dereference, which can cause the TensorFlow process to terminate. There is no indication of remote code execution or information disclosure. The impact is limited to availability.
Mitigation
The fix is included in TensorFlow 2.8.0 and cherry-picked into TensorFlow 2.7.1, 2.6.3, and 2.5.3 [1][3]. Users should upgrade to one of these patched versions. No workarounds are available for unpatched versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
5- osv-coords4 versions
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
Patches
1965b97e4a965Properly validate sparse tensor in `SparseTensorSliceDataset`
2 files changed · +39 −19
tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc+20 −19 modified@@ -240,28 +240,29 @@ class SparseTensorSliceDatasetOp : public DatasetOpKernel { OP_REQUIRES_OK(ctx, ctx->input("dense_shape", &dense_shape)); OP_REQUIRES(ctx, TensorShapeUtils::IsMatrix(indices->shape()), - errors::InvalidArgument( - "Input indices should be a matrix but received shape ", - indices->shape().DebugString())); - - const auto num_indices = indices->NumElements(); - const auto num_values = values->NumElements(); - if (num_indices == 0 || num_values == 0) { - OP_REQUIRES(ctx, num_indices == num_values, - errors::InvalidArgument( - "If indices or values are empty, the other one must also " - "be. Got indices of shape ", - indices->shape().DebugString(), " and values of shape ", - values->shape().DebugString())); - } + errors::InvalidArgument("Input indices must be a matrix. Got: ", + indices->shape().DebugString())); OP_REQUIRES(ctx, TensorShapeUtils::IsVector(values->shape()), - errors::InvalidArgument( - "Input values should be a vector but received shape ", - indices->shape().DebugString())); + errors::InvalidArgument("Input values must be a vector. Got: ", + values->shape().DebugString())); OP_REQUIRES(ctx, TensorShapeUtils::IsVector(dense_shape->shape()), + errors::InvalidArgument("Input shape must be a vector. Got: ", + dense_shape->shape().DebugString())); + OP_REQUIRES( + ctx, values->shape().dim_size(0) == indices->shape().dim_size(0), + errors::InvalidArgument( + "Number of values must match first dimension of indices. ", "Got ", + values->shape().dim_size(0), + " values, indices shape: ", indices->shape().DebugString())); + OP_REQUIRES( + ctx, dense_shape->shape().dim_size(0) == indices->shape().dim_size(1), + errors::InvalidArgument( + "Number of dimensions must match second dimension of indices. ", + "Got ", dense_shape->shape().dim_size(0), + " dimensions, indices shape: ", indices->shape().DebugString())); + OP_REQUIRES(ctx, dense_shape->NumElements() > 0, errors::InvalidArgument( - "Input shape should be a vector but received shape ", - dense_shape->shape().DebugString())); + "The shape argument requires at least one element.")); // We currently ensure that `sparse_tensor` is ordered in the // batch dimension.
tensorflow/python/data/kernel_tests/from_sparse_tensor_slices_test.py+19 −0 modified@@ -134,6 +134,25 @@ def testEmptySparseTensorSlicesInvalid(self): with self.assertRaises(errors.InvalidArgumentError): sess.run(init_op, feed_dict={st: sparse_feed}) + @combinations.generate(combinations.combine(tf_api_version=1, mode=["graph"])) + def testEmptySparseTensorSlicesInvalid2(self): + """Test a dataset based on invalid `tf.sparse.SparseTensor`.""" + st = array_ops.sparse_placeholder(dtypes.float64) + iterator = dataset_ops.make_initializable_iterator( + dataset_ops.Dataset.from_sparse_tensor_slices(st)) + init_op = iterator.initializer + + with self.cached_session() as sess: + # Test with an empty sparse tensor but with non empty values. + empty_indices = [[]] + empty_values = [] + dense_shape = [1, 1] + sparse_feed = sparse_tensor.SparseTensorValue(empty_indices, empty_values, + dense_shape) + # Here, we expect the test to fail when running the feed. + with self.assertRaises(errors.InvalidArgumentError): + sess.run(init_op, feed_dict={st: sparse_feed}) + @combinations.generate(combinations.combine(tf_api_version=2, mode=["eager"])) def testFromSparseTensorSlicesError(self): with self.assertRaises(AttributeError):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-pfjj-m3jj-9jc9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21736ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-60.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-115.yamlghsaWEB
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/965b97e4a9650495cda5a8c210ef6684b4b9ecebghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-pfjj-m3jj-9jc9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.