TensorFlow is a widely-used open source platform for machine learning that allows developers to create and train complex neural network models. It recently came to light that there is a buffer overflow vulnerability in the reference implementation of the CONV_3D_TRANSPOSE TensorFlow Lite operator (CVE-2022-41894). This post provides an in-depth look at this vulnerability, the related code snippet, the exploit details and the available fixes.

Vulnerability Details

The issue is related to the CONV_3D_TRANSPOSE TensorFlow Lite operator, specifically in how it increments the data_ptr when adding the bias to the result. The problematic code snippet is as follows:

data_ptr += num_channels;

However, it should be

data_ptr += output_num_channels;

If the number of input channels is different from the number of output channels, the incorrect incrementation of the data_ptr will lead to incorrect results being returned and a buffer overflow will occur if num_channels > output_num_channels.

An attacker can exploit this vulnerability by crafting a model with a specific number of input channels. By doing this, it becomes possible for the attacker to write specific values through the bias of the layer outside the bounds of the buffer. It is important to note that this attack only works if the reference kernel resolver is used in the interpreter.

Patch and Mitigation

The vulnerability has been patched in the following GitHub commit: 72cbdcb25305bb36842d746cc61d72658d2941. The fix will be included in the upcoming TensorFlow 2.11 release.

For users running previous versions of TensorFlow that are still within the supported range (2.10.1, 2.9.3, and 2.8.4), the TensorFlow team will be cherry-picking this commit to ensure the vulnerability is addressed.

If you are using a version of TensorFlow affected by this vulnerability, it is highly recommended that you update to a patched version as soon as possible to protect yourself against potential attacks.


CVE-2022-41894 is a buffer overflow vulnerability in the CONV_3D_TRANSPOSE TensorFlow Lite operator that could potentially allow an attacker to write specific values outside of the buffer bounds. The vulnerability has been patched, and the fix will be available in TensorFlow 2.11, as well as cherry-picked to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should ensure they are running a patched version of TensorFlow to avoid potential attacks exploiting this vulnerability.


Published on: 11/18/2022 22:15:00 UTC
Last modified on: 11/22/2022 21:02:00 UTC