Null pointer dereference in TensorFlow
Description
TensorFlow's QuantizedMaxPool operation has an undefined behavior where a user-controlled input can trigger a null pointer reference, potentially causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TensorFlow's QuantizedMaxPool operation has an undefined behavior where a user-controlled input can trigger a null pointer reference, potentially causing a denial of service.
Vulnerability
The implementation of QuantizedMaxPool in TensorFlow contains a bug where user-controlled inputs can cause a reference binding to a null pointer, leading to undefined behavior [1]. This affects TensorFlow versions 2.5.x (up to 2.5.3), 2.6.x (up to 2.6.3), and 2.7.x (up to 2.7.1), as well as 2.8.0-rc versions before the fix [1]. The vulnerable code is in the QuantizedMaxPool kernel defined in tensorflow/core/kernels/quantized_pooling_ops.cc [4]. The operation is reachable through standard TensorFlow API calls when crafting quantized pooling layers with specially crafted inputs.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted model or input tensor to the QuantizedMaxPool operation. No authentication or special network position is required beyond the ability to load and execute a TensorFlow model or feed data to a running session. The attacker controls the input shape and data to trigger the null pointer dereference, which occurs during the op's kernel execution. The exact sequence involves constructing a QuantizedMaxPool node with malicious parameters or input tensors that cause the internal code to reference an uninitialized or null pointer.
Impact
Successful exploitation results in undefined behavior due to a null pointer reference. The most likely concrete impact is a crash of the TensorFlow process, leading to a denial of service (DoS). The vulnerability may also potentially be leveraged for arbitrary memory access, though the primary risk from public information is process termination [1]. Since TensorFlow is often used in server environments or as part of larger systems, a crash could disrupt production ML services.
Mitigation
Patches are available in TensorFlow 2.8.0, and have been backported to TensorFlow 2.7.1, 2.6.3, and 2.5.3 [1]. Users should upgrade to these fixed versions immediately. No workaround is feasible for unfixed versions without modifying the source code. Users on end-of-life versions (prior to 2.5.x) are advised to upgrade to a supported release.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
5- osv-coords4 versions
< 2.5.3+ 3 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
- (no CPE)range: < 2.5.3
Patches
153b0dd6dc595Fix nullptr exception in QuantizedMaxPool op when empty list is sent to min_input or max_input parameters.
1 file changed · +14 −0
tensorflow/core/kernels/quantized_pooling_ops.cc+14 −0 modified@@ -15,6 +15,8 @@ limitations under the License. // See docs in ../ops/nn_ops.cc. +#include "tensorflow/core/framework/op_requires.h" +#include "tensorflow/core/platform/errors.h" #define EIGEN_USE_THREADS #include "third_party/eigen3/unsupported/Eigen/CXX11/Tensor" @@ -117,6 +119,18 @@ class QuantizedMaxPoolingOp : public MaxPoolingOp<Device, T> { : MaxPoolingOp<Device, T>(context) {} void Compute(OpKernelContext* context) override { + auto min_input_tensor = context->input(1); + auto max_input_tensor = context->input(2); + OP_REQUIRES( + context, min_input_tensor.NumElements() == 1, + errors::InvalidArgument( + "min_input must be a scalar float value, got tensor with shape ", + min_input_tensor.shape())); + OP_REQUIRES( + context, max_input_tensor.NumElements() == 1, + errors::InvalidArgument( + "max_input must be a scalar float value, got tensor with shape ", + max_input_tensor.shape())); const float min_input = context->input(1).flat<float>()(0); const float max_input = context->input(2).flat<float>()(0); MaxPoolingOp<Device, T>::Compute(context);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3mw4-6rj6-74g5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21739ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-63.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-118.yamlghsaWEB
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/quantized_pooling_ops.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/53b0dd6dc5957652f35964af16b892ec9af4a559ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-3mw4-6rj6-74g5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.