CVE CyberSecurity Database News

CVE-2022-41894 - Buffer Overflow in TensorFlow Lite CONV_3D_TRANSPOSE - Vulnerability Deep Dive and Exploit Scenario

Poster -

---

TensorFlow is one of the most popular open-source platforms for machine learning and deep learning. While its flexibility empowers millions to build AI solutions, its codebase is also quite complex—which leads to rare but impactful vulnerabilities. One such problem, assigned CVE-2022-41894, lies in the TensorFlow Lite reference implementation for the CONV_3D_TRANSPOSE operator. This post explains, in clear simple language, what went wrong, how it can be exploited, and what developers should do now.

What is CVE-2022-41894 All About?

The bug is a classic buffer overflow problem in TensorFlow Lite (TFLite) when using the reference kernel for CONV_3D_TRANSPOSE, also called "deconvolution" for 3D data. The vulnerable code does not handle memory pointers correctly when applying the bias after convolution.

TensorFlow versions: <= 2.10.

- Fixed in: 2.11, 2.10.1, 2.9.3, 2.8.4 (see GitHub commit 72cbdcb25305bb36842d746cc61d72658d2941)
- Condition: Only if the "reference" TFLite kernel implementation is used. The optimized kernel, used by default on Android and many platforms, is not affected.

What Actually Went Wrong?

In the code responsible for the bias addition at the end of convolution computation, the pointer to the output (data_ptr) is supposed to advance to the next output "feature map" (output channel).

The *bug* is this line (pseudo-code)

data_ptr += num_channels;  // WRONG: this is the input channel count!

It should have been

data_ptr += output_num_channels;  // CORRECT: output buffer is sized by output channels

If the number of input channels is greater than the number of output channels, the pointer overruns the intended output memory, writing outside the allocated buffer. This results in undefined behavior, possible data corruption, or even code execution.

1. Model Crafting

An attacker needs to create a specially-crafted TensorFlow Lite model where the number of input channels to a CONV_3D_TRANSPOSE layer is larger than the number of output channels. This is easily done using the TensorFlow Python API:

import tensorflow as tf
from tensorflow import keras
from tensorflow.keras import layers

# 3 input channels, 2 output channels
inp = keras.Input(shape=(8, 8, 8, 3))
x = layers.Conv3DTranspose(2, kernel_size=3, padding='same', use_bias=True)(inp)
model = keras.Model(inputs=inp, outputs=x)
model.save('exploit_model.tflite', save_format='tflite')

2. Custom Bias Data Injection

The attacker fills the bias with data they want to write outside the real buffer. When TFLite runs this model with the vulnerable reference kernel, the interpreter will write the first output_num_channels bias values as normal, but then move the pointer by num_channels instead of output_num_channels, leading to writes into adjacent memory every time it applies the bias.

3. Exploitation

If the "reference" kernel is enabled in the TFLite interpreter (such as in some custom or debug builds), the buffer overflow occurs. At best, this causes a crash; at worst, it can allow arbitrary code execution depending on what memory is corrupted.

Note: Most default TFLite setups on production (Android, iOS) use optimized kernels and aren't affected *unless* forced to use the reference kernels.

Code Snippet: Vulnerable Function (Simplified)

Here’s what the issue looks like in C++ from the affected TensorFlow Lite kernel code:

Vulnerable Version

for (int b = ; b < batches; ++b) {
  float* data_ptr = output_data + b * out_batch_stride;
  for (int ic = ; ic < num_input_channels; ++ic) {
    // ...Convolution code...
    for (int c = ; c < num_output_channels; ++c) {
      data_ptr[c] += bias_data[c]; // Appling bias
    }
    data_ptr += num_channels; // <--- Off-by-one! Should be num_output_channels
  }
}

Patched Version

data_ptr += num_output_channels; // Fix: Advances correctly

(See patch)

An attacker with control over models can craft them to trigger the bug and write to unexpected RAM.

- This can potentially change model weights, corrupt calculations, alter model outputs, or, in very rare systems, attack interpreter heap structures for code execution.
- This is an example of how data science/model files can become vectors for system attacks!

Only accept and run TFLite models from trusted sources.

- Never run untrusted or user-submitted models on infrastructure that handles sensitive data or commands.

3. Check Your Build

- By default, most production TFLite binaries use optimized kernels. If unsure or using custom builds, audit which kernels are included.

References and Learn More

- GitHub Security Advisory: GHSA-prph-pf5v-6x6v
- Official Patch Commit
- TensorFlow GitHub
- How Does TensorFlow Lite Work?

Conclusion

CVE-2022-41894 is a low-level memory bug that can have severe outcomes in the right (or wrong!) circumstances. This shows that even powerful machine learning platforms like TensorFlow need careful buffer management and code reviews. Always keep your dependencies up to date, validate your models’ sources, and watch out for the software that underpins your AI stack.

Timeline

Published on: 11/18/2022 22:15:00 UTC
Last modified on: 11/22/2022 21:02:00 UTC