Low severityNVD Advisory· Published Sep 16, 2022· Updated Apr 23, 2025
Integer overflow in math ops in TensorFlow
CVE-2022-36015
Description
TensorFlow is an open source platform for machine learning. When RangeSize receives values that do not fit into an int64_t, it crashes. We have patched the issue in GitHub commit 37e64539cd29fcfb814c4451152a60f5d107b0f0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.7.2 | 2.7.2 |
tensorflowPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflowPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-cpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-cpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-cpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
tensorflow-gpuPyPI | < 2.7.2 | 2.7.2 |
tensorflow-gpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-gpuPyPI | >= 2.9.0, < 2.9.1 | 2.9.1 |
Affected products
1- Range: < 2.7.2
Patches
137e64539cd29Fix overflow issue
1 file changed · +12 −11
tensorflow/core/ops/math_ops.cc+12 −11 modified@@ -1487,17 +1487,18 @@ Status RangeSize(const Tensor* start_t, const Tensor* limit_t, return errors::InvalidArgument("Requires delta != 0"); } - auto size = (std::is_integral<T>::value - ? ((Eigen::numext::abs(limit - start) + - Eigen::numext::abs(delta) - T(1)) / - Eigen::numext::abs(delta)) - : (Eigen::numext::ceil( - Eigen::numext::abs((limit - start) / delta)))); - - // Undefined behaviour if size will not fit into int64_t - if (size > std::numeric_limits<int64_t>::max()) { - return errors::InvalidArgument("Requires ((limit - start) / delta) <= ", - std::numeric_limits<int64_t>::max()); + int64_t size; + if (std::is_integral<T>::value) { + size = Eigen::divup(static_cast<int64_t>(Eigen::numext::abs(limit - start)), + static_cast<int64_t>(Eigen::numext::abs(delta))); + } else { + auto size_auto = + Eigen::numext::ceil(Eigen::numext::abs((limit - start) / delta)); + if (size_auto > std::numeric_limits<int64_t>::max()) { + return errors::InvalidArgument("Requires ((limit - start) / delta) <= ", + std::numeric_limits<int64_t>::max()); + } + size = static_cast<int64_t>(size_auto); } c->set_output(0, c->Vector(static_cast<int64_t>(size)));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rh87-q4vg-m45jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36015ghsaADVISORY
- github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/37e64539cd29fcfb814c4451152a60f5d107b0f0ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.10.0ghsaWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.