Memory leak in decoding PNG images in Tensorflow
Description
Tensorflow is an Open Source Machine Learning Framework. When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode(..., &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error case in the function implementation invoke the OP_REQUIRES macro which immediately terminates the execution of the function, without allowing for the memory free to occur. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
1- Range: < 2.5.3
Patches
1ab51e5b81357Prevent memory leak in decoding PNG images.
1 file changed · +12 −0
tensorflow/core/kernels/image/decode_image_op.cc+12 −0 modified@@ -18,6 +18,8 @@ limitations under the License. #include <cstdint> #include <memory> +#include "tensorflow/core/lib/gtl/cleanup.h" + #define EIGEN_USE_THREADS #include "absl/strings/escaping.h" @@ -326,6 +328,16 @@ class DecodeImageV2Op : public OpKernel { context, png::CommonInitDecode(input, channels_, channel_bits, &decode), errors::InvalidArgument("Invalid PNG. Failed to initialize decoder.")); + // If we reach this point, then there is data in `decode` which must be + // freed by the time we end execution in this function. We cannot call + // `png::CommonFreeDecode()` before an `OP_REQUIRES` because if + // `OP_REQUIRES` constraint is satisfied then the data would be freed + // prematurely. Instead, let's use a `Cleanup` object. + auto cleanup = gtl::MakeCleanup([&decode]() { + std::cerr << "Cleanup called...\n"; + png::CommonFreeDecode(&decode); + }); + // Verify that width and height are not too large: // - verify width and height don't overflow int. // - width can later be multiplied by channels_ and sizeof(uint16), so
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-fq6p-6334-8gr4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23585ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-94.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-149.yamlghsaWEB
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/ab51e5b813573dc9f51efa335aebcf2994125ee9ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fq6p-6334-8gr4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.