Moderate severityNVD Advisory· Published Nov 18, 2022· Updated Apr 22, 2025

Unckecked rank size in `tf.image.generate_bounding_box_proposals` in Tensorflow

CVE-2022-41888

Description

TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals receives a scores input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.8.4	2.8.4
tensorflowPyPI	>= 2.9.0, < 2.9.3	2.9.3
tensorflowPyPI	>= 2.10.0, < 2.10.1	2.10.1
tensorflow-cpuPyPI	< 2.8.4	2.8.4
tensorflow-gpuPyPI	< 2.8.4	2.8.4
tensorflow-cpuPyPI	>= 2.9.0, < 2.9.3	2.9.3
tensorflow-gpuPyPI	>= 2.9.0, < 2.9.3	2.9.3
tensorflow-cpuPyPI	>= 2.10.0, < 2.10.1	2.10.1
tensorflow-gpuPyPI	>= 2.10.0, < 2.10.1	2.10.1

Affected products

Tensorflow/Tensorflowv5
Range: >= 2.10.0, < 2.10.1

Patches

cf35502463a8

Add rank checks to GenerateBoundingBoxProposals.

https://github.com/tensorflow/tensorflowAntonio SanchezOct 7, 2022via ghsa

commit

3 files changed · +36 −1

tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc+16 −0 modified

@@ -312,6 +312,22 @@ class GenerateBoundingBoxProposals : public tensorflow::OpKernel {
     const auto bbox_deltas = context->input(1);
     const auto image_info = context->input(2);
     const auto anchors = context->input(3);
+
+    OP_REQUIRES(context, scores.dims() == 4,
+                errors::InvalidArgument("`scores` must be rank 4 but is rank ",
+                                        scores.dims()));
+    OP_REQUIRES(
+        context, bbox_deltas.dims() == 4,
+        errors::InvalidArgument("`bbox_deltas` must be rank 4 but is rank ",
+                                bbox_deltas.dims()));
+    OP_REQUIRES(
+        context, image_info.dims() == 2,
+        errors::InvalidArgument("`image_info` must be rank 2 but is rank ",
+                                image_info.dims()));
+    OP_REQUIRES(context, anchors.dims() == 3,
+                errors::InvalidArgument("`anchors` must be rank 3 but is rank ",
+                                        anchors.dims()));
+
     const auto num_images = scores.dim_size(0);
     const auto num_anchors = scores.dim_size(3);
     const auto height = scores.dim_size(1);

tensorflow/python/kernel_tests/image_ops/BUILD+1 −1 modified

@@ -96,7 +96,7 @@ tf_py_test(
     ],
 )
 
-tf_py_test(
+cuda_py_test(
     name = "draw_bounding_box_op_test",
     size = "small",
     srcs = ["draw_bounding_box_op_test.py"],

tensorflow/python/kernel_tests/image_ops/draw_bounding_box_op_test.py+19 −0 modified

@@ -16,8 +16,11 @@
 
 import numpy as np
 
+from tensorflow.python.framework import constant_op
 from tensorflow.python.framework import dtypes
+from tensorflow.python.framework import errors
 from tensorflow.python.framework import ops
+from tensorflow.python.framework import test_util
 from tensorflow.python.ops import array_ops
 from tensorflow.python.ops import image_ops
 from tensorflow.python.ops import image_ops_impl
@@ -131,6 +134,22 @@ def testDrawBoundingBoxHalf(self):
     self._testDrawBoundingBoxColorCycling(
         image, dtype=dtypes.half, colors=colors)
 
+  # generate_bound_box_proposals is only available on GPU.
+  @test_util.run_gpu_only()
+  def testGenerateBoundingBoxProposals(self):
+    # Op only exists on GPU.
+    with self.cached_session(use_gpu=True):
+      with self.assertRaisesRegex((ValueError, errors.InvalidArgumentError),
+                                  "must be rank 4"):
+        scores = constant_op.constant(
+            value=[[[[1.0, 1.0], [1.0, 1.0], [1.0, 1.0], [1.0, 1.0]]]])
+        self.evaluate(
+            image_ops.generate_bounding_box_proposals(
+                scores=scores,
+                bbox_deltas=[],
+                image_info=[],
+                anchors=[],
+                pre_nms_topn=1))
 
 if __name__ == "__main__":
   test.main()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000