Moderate severityNVD Advisory· Published Sep 16, 2022· Updated Apr 23, 2025
`CHECK` fail in `tf.random.gamma` in TensorFlow
CVE-2022-36004
Description
TensorFlow is an open source platform for machine learning. When tf.random.gamma receives large input shape and rates, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.7.2 | 2.7.2 |
tensorflowPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflowPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-cpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-cpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-cpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-gpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-gpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-gpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
Affected products
1- Range: < 2.7.2
Patches
1552bfced6ce4Fix size check for large input shape and rates.
4 files changed · +24 −2
tensorflow/core/kernels/random_op.cc+1 −1 modified@@ -166,7 +166,7 @@ class RandomGammaOp : public OpKernel { } const int64_t samples_per_alpha = samples_shape.num_elements(); - samples_shape.AppendShape(alpha_t.shape()); + OP_REQUIRES_OK(ctx, samples_shape.AppendShapeWithStatus(alpha_t.shape())); // Allocate output samples. Tensor* samples_t = nullptr; OP_REQUIRES_OK(ctx, ctx->allocate_output(0, samples_shape, &samples_t));
tensorflow/core/kernels/random_poisson_op.cc+1 −1 modified@@ -296,8 +296,8 @@ class RandomPoissonOp : public OpKernel { TensorShape samples_shape; OP_REQUIRES_OK(ctx, tensor::MakeShape(shape_t, &samples_shape)); const int64_t num_samples = samples_shape.num_elements(); + OP_REQUIRES_OK(ctx, samples_shape.AppendShapeWithStatus(rate_t.shape())); - samples_shape.AppendShape(rate_t.shape()); // Allocate output samples. Tensor* samples_t = nullptr; OP_REQUIRES_OK(ctx, ctx->allocate_output(0, samples_shape, &samples_t));
tensorflow/python/kernel_tests/random/random_gamma_test.py+13 −0 modified@@ -16,7 +16,10 @@ import numpy as np +from tensorflow.python.eager import context +from tensorflow.python.framework import constant_op from tensorflow.python.framework import dtypes +from tensorflow.python.framework import errors from tensorflow.python.framework import ops from tensorflow.python.framework import random_seed from tensorflow.python.framework import test_util @@ -216,6 +219,16 @@ def testPositive(self): self.assertEqual(0, math_ops.reduce_sum(math_ops.cast( math_ops.less_equal(x, 0.), dtype=dtypes.int64)).eval()) + def testSizeTooLarge(self): + # Grappler asserts on size overflow, so this error is only caught when + # running eagerly. + if context.executing_eagerly(): + with self.assertRaisesRegex((ValueError, errors.InvalidArgumentError), + "overflow"): + rate = constant_op.constant(1.0, shape=(4, 4, 4, 4, 4)) + self.evaluate( + random_ops.random_gamma( + shape=[46902, 51188, 34063, 59195], alpha=rate)) if __name__ == "__main__": test.main()
tensorflow/python/kernel_tests/random/random_poisson_test.py+9 −0 modified@@ -17,6 +17,7 @@ from tensorflow.python.framework import constant_op from tensorflow.python.framework import dtypes +from tensorflow.python.framework import errors from tensorflow.python.framework import ops from tensorflow.python.framework import test_util from tensorflow.python.kernel_tests.random import util @@ -171,6 +172,14 @@ def testInfRate(self): sample = random_ops.random_poisson(shape=[2], lam=np.inf) self.assertAllEqual([np.inf, np.inf], self.evaluate(sample)) + def testSizeTooLarge(self): + with self.assertRaisesRegex((ValueError, errors.InvalidArgumentError), + "overflow"): + rate = constant_op.constant(1.0, shape=(4, 4, 4, 4, 4)) + self.evaluate( + random_ops.random_poisson( + shape=[46902, 51188, 34063, 59195], lam=rate)) + if __name__ == "__main__": test.main()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mv8m-8x97-937qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36004ghsaADVISORY
- github.com/tensorflow/tensorflow/commit/552bfced6ce4809db5f3ca305f60ff80dd40c5a3ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.10.0ghsaWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-mv8m-8x97-937qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.