Moderate severityNVD Advisory· Published Nov 18, 2022· Updated Apr 22, 2025
Seg fault in `ndarray_tensor_bridge` due to zero and large inputs in Tensorflow
CVE-2022-41884
Description
TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.8.4 | 2.8.4 |
tensorflowPyPI | >= 2.9.0, < 2.9.3 | 2.9.3 |
tensorflowPyPI | >= 2.10.0, < 2.10.1 | 2.10.1 |
tensorflow-cpuPyPI | < 2.8.4 | 2.8.4 |
tensorflow-gpuPyPI | < 2.8.4 | 2.8.4 |
tensorflow-cpuPyPI | >= 2.9.0, < 2.9.3 | 2.9.3 |
tensorflow-gpuPyPI | >= 2.9.0, < 2.9.3 | 2.9.3 |
tensorflow-cpuPyPI | >= 2.10.0, < 2.10.1 | 2.10.1 |
tensorflow-gpuPyPI | >= 2.10.0, < 2.10.1 | 2.10.1 |
Affected products
1- Range: >= 2.10.0, < 2.10.1
Patches
12b56169c16e3Fix segfault when using unusally shaped tensors.
3 files changed · +30 −1
tensorflow/python/eager/tensor_test.py+10 −0 modified@@ -515,6 +515,16 @@ def testNumpyTooManyDimensions(self): "can have at most 32 dimensions"): t.numpy() + def testNumpyDimsTooBig(self): + # Creating a Numpy array fails in some cases if the product of non-zero + # dimensions is very big, even if the shape also has a zero in it. + t = array_ops.ones((0, 2**31, 2**31)) + with self.assertRaisesRegex( + errors.InvalidArgumentError, + r"Failed to create numpy array from tensor of shape " + r"\[0, 2147483648, 2147483648\]. Numpy error.*array is too big"): + t.numpy() + class TFETensorUtilTest(test_util.TensorFlowTestCase):
tensorflow/python/lib/core/BUILD+1 −0 modified@@ -88,6 +88,7 @@ cc_library( deps = [ ":bfloat16_lib", ":numpy_lib", + ":py_util", "//tensorflow/c:c_api_no_xla", "//tensorflow/core:lib", "//tensorflow/core:protos_all_cc",
tensorflow/python/lib/core/ndarray_tensor_bridge.cc+19 −1 modified@@ -13,16 +13,20 @@ See the License for the specific language governing permissions and limitations under the License. ==============================================================================*/ +// clang-format off // Must be included first. #include "tensorflow/python/lib/core/numpy.h" +// clang-format on + +#include "tensorflow/python/lib/core/ndarray_tensor_bridge.h" #include <vector> #include "tensorflow/c/c_api.h" #include "tensorflow/core/lib/core/errors.h" #include "tensorflow/core/platform/mutex.h" #include "tensorflow/python/lib/core/bfloat16.h" -#include "tensorflow/python/lib/core/ndarray_tensor_bridge.h" +#include "tensorflow/python/lib/core/py_util.h" namespace tensorflow { @@ -214,6 +218,20 @@ Status ArrayFromMemory(int dim_size, npy_intp* dims, void* data, DataType dtype, } auto* np_array = reinterpret_cast<PyArrayObject*>( PyArray_SimpleNewFromData(dim_size, dims, type_num, data)); + if (np_array == nullptr) { + string shape_str = absl::StrJoin( + absl::Span<npy_intp>{dims, static_cast<size_t>(dim_size)}, ", "); + if (PyErr_Occurred()) { + string exception_str = PyExceptionFetch(); + PyErr_Clear(); + return errors::InvalidArgument( + "Failed to create numpy array from tensor of shape [", shape_str, + "]. Numpy error: ", exception_str); + } + return errors::Internal( + "Failed to create numpy array from tensor of shape [", shape_str, "]"); + } + PyArray_CLEARFLAGS(np_array, NPY_ARRAY_OWNDATA); if (PyType_Ready(&TensorReleaserType) == -1) { return errors::Unknown("Python type initialization failed.");
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.