CVE-2022-41899 - TensorFlow SdcaOptimizer Crashes on Invalid Input Shapes — What You Must Know

TensorFlow is the foundation of countless machine learning projects, trusted for its flexibility and speed. However, security vulnerabilities can sneak into even the most well-maintained open source libraries. In this post, we’ll break down CVE-2022-41899—a bug that could crash your TensorFlow-powered service if it gets unexpected input data.

In simple words: if you feed TensorFlow’s SdcaOptimizer the wrong shape of data, the library can panic and crash. If your app accepts untrusted user data, this crash could mean service denial or worse.

Let’s walk through what this vulnerability is, how it works, and most importantly, how to patch it.

What is TensorFlow’s SdcaOptimizer?

SdcaOptimizer is a tool in TensorFlow for optimizing certain models, especially when using Stochastic Dual Coordinate Ascent (SDCA) for linear classification and regression. It’s often used when you want to train models fast on large, sparse datasets.

You’d use it something like this

import tensorflow as tf
optimizer = tf.compat.v1.train.sdca_optimizer.SDCAOptimizer(
    example_id_column='example_id',
    # ... more parameters here ...
)

But as with all tools, if you give it broken inputs, bad things can happen.

The Core of CVE-2022-41899

TensorFlow expects inputs named dense_features or example_state_data to have exactly 2 dimensions (literally, shape rank == 2). If you hand it something with the wrong number of dimensions—a 1D vector, a 3D tensor, etc.—TensorFlow hits a failing CHECK statement. This isn’t a gentle error; it’s a hard crash.

If an attacker can provide weird-shaped data, they could kill your training or online inference service.

Here’s a bit of the code that was affected (before the fix)

// TensorFlow expects dense_features to have shape [num_examples, num_features]
CHECK(dense_features.dims() == 2) << "dense_features must be of rank 2";

If this check fails, it triggers a “CHECK fail” — and that kills your Python process.

In Python

import tensorflow as tf
dense_features = tf.constant([[1, 2, 3]])   # This is ok (rank 2)
optimizer.minimize(loss, [dense_features])

bad_features = tf.constant([1, 2, 3])       # This is NOT ok (rank 1)
optimizer.minimize(loss, [bad_features])    # Will crash!

All TensorFlow users with versions before 2.11 are impacted if

- They use SdcaOptimizer in a way that inputs could be any rank, especially from external or untrusted sources.

Exploit Example

Suppose a public-facing machine learning service uses TensorFlow and exposes model training or inference via API. If a malicious or careless user submits invalidly-shaped input, the server could crash—leading to denial of service.

A pseudocode demonstration

# Exploiting the issue with wrong rank:
import tensorflow as tf
from tensorflow.compat.v1 import train

sdca = train.sdca_optimizer.SDCAOptimizer(
    example_id_column='id'
    # all other required params...
)
# Input is intentionally a 1D array instead of a 2D one.
bad_input = tf.constant([1, 2, 3, 4])  # Bad: has rank 1

try:
    # This will trigger the CHECK fail and crash the application.
    sdca.minimize(loss, [bad_input])
except Exception as e:
    print("Crashed:", e)

No normal Python exception is caught: this is a hard application crash, not just an error.

The Fix and Patch

The TensorFlow dev team addressed this in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1bbabfa. The patch changes the handling so that, if the rank is wrong, you get a Python error you can catch—not a total crash.

Important: The fix will be included in TensorFlow 2.11 and will be backported (“cherrypicked”) into the following patch releases:

2.8.4

So, upgrade as soon as possible if you’re running one of those versions.

Links and References

- Original GitHub Commit Fix
- TensorFlow Security Advisories
- CVE Details: CVE-2022-41899
- TensorFlow SdcaOptimizer Docs

Prefer safe error handling—don’t rely on CHECK statements to protect against invalid inputs.

- Keep your TensorFlow version up to date. Subscribe to the TensorFlow Security Bulletin for news.

Summary

CVE-2022-41899 is a bug that lets invalid input data crash services using TensorFlow’s SdcaOptimizer. The fix is live, and patches are being backported to supported TensorFlow versions.

Action: If you use SdcaOptimizer, upgrade TensorFlow to the newest patch release for your version train.

Timeline

Published on: 11/18/2022 22:15:00 UTC
Last modified on: 07/10/2023 16:18:00 UTC