High severityNVD Advisory· Published May 20, 2022· Updated Apr 22, 2025
Segfault and Out-of-bounds Write write due to incomplete validation in TensorFlow
CVE-2022-29208
Description
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.EditDistance has incomplete validation. Users can pass negative values to cause a segmentation fault based denial of service. In multiple places throughout the code, one may compute an index for a write operation. However, the existing validation only checks against the upper bound of the array. Hence, it is possible to write before the array by massaging the input to generate negative values for loc. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.6.4 | 2.6.4 |
tensorflowPyPI | >= 2.7.0, < 2.7.2 | 2.7.2 |
tensorflowPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-cpuPyPI | < 2.6.4 | 2.6.4 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.2 | 2.7.2 |
tensorflow-cpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-gpuPyPI | < 2.6.4 | 2.6.4 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.2 | 2.7.2 |
tensorflow-gpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
Affected products
1- Range: < 2.6.4
Patches
130721cf564cbFix tf.raw_ops.EditDistance vulnerability with negative indices.
2 files changed · +28 −10
tensorflow/core/kernels/edit_distance_op.cc+10 −10 modified@@ -203,9 +203,9 @@ class EditDistanceOp : public OpKernel { auto loc = std::inner_product(g_truth.begin(), g_truth.end(), output_strides.begin(), int64_t{0}); OP_REQUIRES( - ctx, loc < output_elements, + ctx, 0 <= loc && loc < output_elements, errors::Internal("Got an inner product ", loc, - " which would require in writing to outside of " + " which would require writing to outside of " "the buffer for the output tensor (max elements ", output_elements, ")")); output_t(loc) = @@ -218,9 +218,9 @@ class EditDistanceOp : public OpKernel { auto loc = std::inner_product(g_hypothesis.begin(), g_hypothesis.end(), output_strides.begin(), int64_t{0}); OP_REQUIRES( - ctx, loc < output_elements, + ctx, 0 <= loc && loc < output_elements, errors::Internal("Got an inner product ", loc, - " which would require in writing to outside of " + " which would require writing to outside of " "the buffer for the output tensor (max elements ", output_elements, ")")); output_t(loc) = hypothesis_seq.size(); @@ -232,9 +232,9 @@ class EditDistanceOp : public OpKernel { auto loc = std::inner_product(g_truth.begin(), g_truth.end(), output_strides.begin(), int64_t{0}); OP_REQUIRES( - ctx, loc < output_elements, + ctx, 0 <= loc && loc < output_elements, errors::Internal("Got an inner product ", loc, - " which would require in writing to outside of " + " which would require writing to outside of " "the buffer for the output tensor (max elements ", output_elements, ")")); output_t(loc) = (normalize_) ? 1.0 : truth_seq.size(); @@ -248,9 +248,9 @@ class EditDistanceOp : public OpKernel { auto loc = std::inner_product(g_hypothesis.begin(), g_hypothesis.end(), output_strides.begin(), int64_t{0}); OP_REQUIRES( - ctx, loc < output_elements, + ctx, 0 <= loc && loc < output_elements, errors::Internal("Got an inner product ", loc, - " which would require in writing to outside of the " + " which would require writing to outside of the " "buffer for the output tensor (max elements ", output_elements, ")")); output_t(loc) = hypothesis_seq.size(); @@ -266,9 +266,9 @@ class EditDistanceOp : public OpKernel { auto loc = std::inner_product(g_truth.begin(), g_truth.end(), output_strides.begin(), int64_t{0}); OP_REQUIRES( - ctx, loc < output_elements, + ctx, 0 <= loc && loc < output_elements, errors::Internal("Got an inner product ", loc, - " which would require in writing to outside of the " + " which would require writing to outside of the " "buffer for the output tensor (max elements ", output_elements, ")")); output_t(loc) = (normalize_) ? 1.0 : truth_seq.size();
tensorflow/python/kernel_tests/array_ops/edit_distance_op_test.py+18 −0 modified@@ -207,6 +207,24 @@ def testEditDistanceZeroLengthHypothesisAndTruth(self): normalize=True, expected_output=expected_output) + def testEditDistanceBadIndices(self): + hypothesis_indices = np.full((3, 3), -1250999896764, dtype=np.int64) + hypothesis_values = np.empty(3, dtype=np.int64) + hypothesis_shape = np.empty(3, dtype=np.int64) + truth_indices = np.full((3, 3), -1250999896764, dtype=np.int64) + truth_values = np.full([3], 2, dtype=np.int64) + truth_shape = np.full([3], 2, dtype=np.int64) + expected_output = [] # dummy; ignored + + self._testEditDistance( + hypothesis=(hypothesis_indices, hypothesis_values, hypothesis_shape), + truth=(truth_indices, truth_values, truth_shape), + normalize=False, + expected_output=expected_output, + expected_err_re=(r"inner product -\d+ which would require writing " + "to outside of the buffer for the output tensor") + ) + if __name__ == "__main__": test.main()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-2r2f-g8mw-9gvrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29208ghsaADVISORY
- github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a6357bebc8e7ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.6.4ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.7.2ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.8.1ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.9.0ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.