High severityNVD Advisory· Published Mar 24, 2023· Updated Feb 19, 2025
TensorFlow has null dereference on ParallelConcat with XLA
CVE-2023-25676
Description
TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.11.1 | 2.11.1 |
tensorflow-cpuPyPI | < 2.11.1 | 2.11.1 |
tensorflow-gpuPyPI | < 2.11.1 | 2.11.1 |
Affected products
1- Range: < 2.11.1
Patches
1da66bc6d5ff4Check for unexpected scalars in the shape argument to ParallelConcat.
4 files changed · +26 −3
tensorflow/core/kernels/inplace_ops.cc+1 −1 modified@@ -78,7 +78,7 @@ class ParallelConcatUpdate : public OpKernel { OP_REQUIRES( ctx, value.dim_size(0) > loc_, errors::InvalidArgument("0th dimension of value = ", value.dim_size(0), - " is less than loc_=", loc_)); + " must be greater than loc_ = ", loc_)); auto update = ctx->input(1);
tensorflow/core/ops/array_ops.cc+7 −0 modified@@ -15,6 +15,7 @@ limitations under the License. #include <algorithm> #include <ostream> +#include <vector> #include "tensorflow/core/framework/common_shape_fns.h" #include "tensorflow/core/framework/full_type.pb.h" @@ -309,6 +310,12 @@ REGISTER_OP("ParallelConcat") return errors::InvalidArgument( "All input shapes must be fully defined."); } + if (c->Rank(c->input(i)) < 1) { + return errors::InvalidArgument( + "The rank of all input shapes must be greater than 0, " + "but input ", + i, " had rank ", c->Rank(c->input(i)), "."); + } DimensionHandle unused; if (!c->WithValue(c->Dim(c->input(i), 0), 1, &unused).ok()) { return errors::InvalidArgument("Size of first dimension must be 1.");
tensorflow/python/kernel_tests/array_ops/stack_op_test.py+3 −2 modified@@ -83,8 +83,9 @@ def f(): y = gen_array_ops.parallel_concat(values=[["tf"]], shape=0) return y - with self.assertRaisesRegex(errors.InvalidArgumentError, - r"0th dimension of value .* is less than"): + with self.assertRaisesRegex( + errors.InvalidArgumentError, r"0th dimension .* must be greater than" + ): f() def testSimpleParallelGPU(self):
tensorflow/python/ops/array_ops_test.py+15 −0 modified@@ -18,6 +18,7 @@ from tensorflow.python.eager import def_function from tensorflow.python.framework import dtypes from tensorflow.python.framework import tensor_spec +from tensorflow.python.framework import test_util from tensorflow.python.ops import array_ops from tensorflow.python.ops import math_ops from tensorflow.python.ops import random_ops @@ -91,6 +92,20 @@ def g(x): conc = g.get_concrete_function(tensor_spec.TensorSpec([10, None])) self.assertAllEqual(conc.output_shapes.as_list(), [10]) + @test_util.run_in_graph_and_eager_modes + def testParallelConcatFailsWithRankZeroShape(self): + op = array_ops.ParallelConcat + para = {"shape": 0, "values": [1]} + + def func(): + y = op(**para) + return y + + with self.assertRaisesRegex( + Exception, "(rank|dimension) of .* must be greater than .* 0" + ): + func() + if __name__ == "__main__": test.main()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6wfh-89q8-44jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25676ghsaADVISORY
- github.com/tensorflow/tensorflow/commit/da66bc6d5ff466aee084f9e7397980a24890cd15ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-6wfh-89q8-44jqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.