VYPR
← All advisories
Moderate severityNVD Advisory· Published May 20, 2022· Updated Apr 22, 2025

Missing validation causes denial of service in TensorFlow via `LoadAndRemapMatrix`

CVE-2022-29199

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.LoadAndRemapMatrix does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes initializing_values` is a vector but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tensorflowPyPI
< 2.6.42.6.4
tensorflowPyPI
>= 2.7.0, < 2.7.22.7.2
tensorflowPyPI
>= 2.8.0, < 2.8.12.8.1
tensorflow-cpuPyPI
< 2.6.42.6.4
tensorflow-cpuPyPI
>= 2.7.0, < 2.7.22.7.2
tensorflow-cpuPyPI
>= 2.8.0, < 2.8.12.8.1
tensorflow-gpuPyPI
< 2.6.42.6.4
tensorflow-gpuPyPI
>= 2.7.0, < 2.7.22.7.2
tensorflow-gpuPyPI
>= 2.8.0, < 2.8.12.8.1

Affected products

1

Patches

1
3150642acbbe

Fix tf.raw_ops.LoadAndRemapMatrix vulnerability with invalid `row_remapping`.

https://github.com/tensorflow/tensorflowAlan LiuApr 29, 2022via ghsa
commit
2 files changed · +31 0
  • tensorflow/core/kernels/load_and_remap_matrix_op.cc+5 0 modified
    @@ -74,6 +74,11 @@ class LoadAndRemapMatrixOp : public OpKernel {
     std::vector<bool> row_id_present;
     const Tensor* row_remapping_t;
     OP_REQUIRES_OK(context, context->input("row_remapping", &row_remapping_t));
+    OP_REQUIRES(
+        context, row_remapping_t->dims() == 1,
+        errors::InvalidArgument("The `row_remapping` tensor must be 1-D, got "
+                                "a tensor of shape ",
+                                row_remapping_t->shape().DebugString()));
     const auto row_remapping = row_remapping_t->vec<int64_t>();
     OP_REQUIRES(context, row_remapping.size() == num_rows_,
                 errors::InvalidArgument(strings::StrCat(
  • tensorflow/python/kernel_tests/io_ops/checkpoint_ops_test.py+26 0 modified
    @@ -227,6 +227,32 @@ def test_load_and_remap_all_missing_rows_and_cols(self):
           np.reshape(initializing_values, (num_rows, num_cols)),
           self.evaluate(remapped_matrix))
 
+  def test_load_and_remap_invalid_dims(self):
+    ckpt_path = constant_op.constant(
+        '/tmp/warm_starting_util_test5kl2a3pc/tmpph76tep2/model-0',
+        shape=[],
+        dtype=dtypes.string)
+    old_tensor_name = constant_op.constant(
+        '/tmp/warm_starting_util_test5kl2a3pc/tmpph76tep2/model-0',
+        shape=[],
+        dtype=dtypes.string)
+    row_remapping = constant_op.constant(0, shape=[], dtype=dtypes.int64)
+    col_remapping = constant_op.constant(3, shape=[3], dtype=dtypes.int64)
+    initializing_values = constant_op.constant([],
+                                               shape=[0, 1],
+                                               dtype=dtypes.float32)
+    with self.cached_session(), self.assertRaisesRegex(
+        (ValueError, errors.InvalidArgumentError), 'tensor must be 1-D'):
+      self.evaluate(
+          gen_checkpoint_ops.load_and_remap_matrix(
+              ckpt_path=ckpt_path,
+              old_tensor_name=old_tensor_name,
+              row_remapping=row_remapping,
+              col_remapping=col_remapping,
+              initializing_values=initializing_values,
+              num_rows=1,
+              num_cols=1))
+
   @test_util.run_deprecated_v1
   def test_load_and_remap_invalid_remapping(self):
     """Tests that errors are raised when an ID maps to multiple new IDs.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.