Moderate severityNVD Advisory· Published Jan 3, 2024· Updated Jun 17, 2025

FPE in paddle.argmin and paddle.argmax

CVE-2023-52313

Description

FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unvalidated input to PaddlePaddle's argmin/argmax operations causes a floating-point exception, leading to a denial of service via crash.

CVE-2023-52313 is a vulnerability in PaddlePaddle before version 2.6.0 that allows a floating-point exception (FPE) in the paddle.argmin and paddle.argmax functions. The root cause is the lack of validation on the input tensor's size; the functions perform division or other operations that assume a non-empty tensor, resulting in a crash when an empty tensor is provided [1][2].

The attack surface requires the ability to supply a tensor to these functions, which can be achieved locally or remotely via applications that accept user-provided tensors. No authentication is needed if the application exposes these operations without proper input sanitization [2].

Successful exploitation causes a runtime crash, leading to a denial of service. The impact is limited to availability; no data integrity or confidentiality is affected [2][3].

The vulnerability is fixed in PaddlePaddle 2.6.0, where a check was added to ensure the input tensor has at least one element before processing [4]. The fix is documented in the advisory PDSA-2023-022 [2]. Users are advised to upgrade to the latest version or apply the patch.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
PaddlePaddlePyPI	< 2.6.0	2.6.0

Affected products

ghsa-coords
pkg:pypi/paddlepaddle
Range: < 2.6.0
PaddlePaddle/PaddlePaddlev5
Range: 0

Patches

6ef71779197a

add arg check for argmin and argmax (#59976)

https://github.com/PaddlePaddle/PaddlewanghuancoderDec 14, 2023via ghsa

commit

3 files changed · +15 −0

paddle/phi/kernels/cpu/arg_min_max_kernel.cc+5 −0 modified

@@ -153,6 +153,11 @@ void ArgMinMaxKernel(const Context& dev_ctx,
                      bool flatten,
                      DataType dtype,
                      DenseTensor* out) {
+  PADDLE_ENFORCE_GT(
+      x.numel(),
+      0,
+      phi::errors::InvalidArgument(
+          "argmin/argmax input numel must > 0, bug got %d", x.numel()));
   if (dtype == DataType::UNDEFINED) {
     phi::VisitDataTypeTiny(
         phi::DataType::INT64,

paddle/phi/kernels/gpu/arg_min_max_kernel.cu+5 −0 modified

@@ -211,6 +211,11 @@ void ArgMinMaxOpCUDAKernel(const Context& dev_ctx,
                            bool flatten,
                            DataType dtype,
                            DenseTensor* out) {
+  PADDLE_ENFORCE_GT(
+      x.numel(),
+      0,
+      phi::errors::InvalidArgument(
+          "argmin/argmax input numel must > 0, bug got %d", x.numel()));
   if (dtype == DataType::UNDEFINED) {
     phi::VisitDataTypeTiny(
         phi::DataType::INT64,

paddle/phi/kernels/xpu/arg_min_max_kernel.cc+5 −0 modified

@@ -30,6 +30,11 @@ void ArgMaxKernel(const Context& dev_ctx,
                   bool flatten,
                   DataType dtype,
                   DenseTensor* out) {
+  PADDLE_ENFORCE_GT(
+      x.numel(),
+      0,
+      phi::errors::InvalidArgument(
+          "argmin/argmax input numel must > 0, bug got %d", x.numel()));
   using XPUType = typename XPUTypeTrait<T>::Type;
   PADDLE_ENFORCE_EQ(
       (dtype == DataType::UNDEFINED || dtype == DataType::INT32 ||

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000