High severityNVD Advisory· Published Feb 4, 2022· Updated Apr 23, 2025
Integer overflow in Tensorflow
CVE-2022-23562
Description
Tensorflow is an Open Source Machine Learning Framework. The implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
1- Range: >= 2.7.0, < 2.7.1
Patches
1f0147751fd5dMerge pull request #52707 from elfringham:init_ops_test_fix
3 files changed · +21 −8
tensorflow/core/kernels/sequence_ops.cc+13 −7 modified@@ -91,13 +91,19 @@ class RangeOp : public OpKernel { errors::InvalidArgument( "Requires start >= limit when delta < 0: ", start, "/", limit)); } - int64_t size = 0; - if (std::is_integral<T>::value) { - size = static_cast<int64_t>( - (std::abs(limit - start) + std::abs(delta) - 1) / std::abs(delta)); - } else { - size = static_cast<int64_t>(std::ceil(std::abs((limit - start) / delta))); - } + auto size_auto = (std::is_integral<T>::value + ? (Eigen::numext::abs(limit - start) + + Eigen::numext::abs(delta) - T(1)) / + Eigen::numext::abs(delta) + : Eigen::numext::ceil( + Eigen::numext::abs((limit - start) / delta))); + OP_REQUIRES( + context, size_auto <= std::numeric_limits<int64_t>::max(), + errors::InvalidArgument("Requires ((limit - start) / delta) <= ", + std::numeric_limits<int64_t>::max())); + + int64_t size = static_cast<int64_t>(size_auto); + TensorShape shape; OP_REQUIRES_OK(context, shape.AddDimWithStatus(size)); Tensor* out = nullptr;
tensorflow/core/ops/math_ops.cc+7 −0 modified@@ -1489,6 +1489,13 @@ Status RangeSize(const Tensor* start_t, const Tensor* limit_t, Eigen::numext::abs(delta)) : (Eigen::numext::ceil( Eigen::numext::abs((limit - start) / delta)))); + + // Undefined behaviour if size will not fit into int64_t + if (size > std::numeric_limits<int64_t>::max()) { + return errors::InvalidArgument("Requires ((limit - start) / delta) <= ", + std::numeric_limits<int64_t>::max()); + } + c->set_output(0, c->Vector(static_cast<int64_t>(size))); return Status::OK(); }
tensorflow/python/kernel_tests/array_ops/init_ops_test.py+1 −1 modified@@ -548,7 +548,7 @@ def testLargeLimits(self): def testLargeStarts(self): # Test case for GitHub issue 46899. with self.session(): - with self.assertRaises(errors_impl.InvalidArgumentError): + with self.assertRaises((ValueError, errors_impl.InvalidArgumentError)): v = math_ops.range(start=-1e+38, limit=1) self.evaluate(v)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-qx3f-p745-w4hrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23562ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-71.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-126.yamlghsaWEB
- github.com/tensorflow/tensorflow/commit/f0147751fd5d2ff23251149ebad9af9f03010732ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/issues/52676ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/pull/51733ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.