`CHECK` failure in tf.reshape in Tensorflow
Description
TensorFlow is an open source platform for machine learning. The implementation of tf.reshape op in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor. This issue has been patched in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.7.2 | 2.7.2 |
tensorflowPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflowPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-cpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-cpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-cpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-gpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-gpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-gpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
Affected products
1- Range: < 2.7.2
Patches
161f0f9b94df8Fix failed check in tf.reshape.
2 files changed · +14 −0
tensorflow/core/kernels/reshape_op.h+5 −0 modified@@ -45,6 +45,11 @@ class ReshapeOp : public OpKernel { TensorShapeUtils::IsScalar(sizes.shape())), errors::InvalidArgument("sizes input must be 1-D, not ", sizes.shape().DebugString())); + OP_REQUIRES( + context, sizes.NumElements() < TensorShape::MaxDimensions(), + errors::InvalidArgument("too many dimensions: must be < ", + TensorShape::MaxDimensions(), ", but received ", + sizes.NumElements())); // Compute the output shape. Determine product of specified // dimensions, and find the index of the unspecified one.
tensorflow/python/kernel_tests/array_ops/array_ops_test.py+9 −0 modified@@ -351,6 +351,15 @@ def testExpandDimsWithNonScalarDim(self): "must be a tensor with a single value"): array_ops.expand_dims(1, axis=[0, 1]) + def testReshapeWithManyDims(self): + with self.assertRaisesRegex(errors.InvalidArgumentError, + "too many dimensions"): + self.evaluate( + array_ops.reshape( + tensor=[[1]], + shape=constant_op.constant([1 for i in range(254)], + dtype=dtypes.int64))) + @test_util.with_eager_op_as_function class ReverseV2Test(test_util.TensorFlowTestCase):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f4w6-h4f5-wx45ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35934ghsaADVISORY
- github.com/tensorflow/tensorflow/commit/61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.10.0ghsaWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-f4w6-h4f5-wx45ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.