CVE-2022-21741 in Tensorflow
Summary
by MITRE • 02/03/2022
Tensorflow is an Open Source Machine Learning Framework. ### Impact An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions. The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added before applying the convolution. There is no check before this division that the divisor is strictly positive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2025
The vulnerability CVE-2022-21741 affects TensorFlow's TFLite machine learning framework, specifically targeting the depthwise convolution implementation where a division by zero condition can be triggered through crafted model inputs. This represents a critical security flaw that undermines the robustness of TensorFlow's mobile and edge computing capabilities. The issue stems from insufficient input validation within the convolution parameter processing logic, where user-controllable parameters are directly utilized in division operations without proper sanitization checks. The vulnerability manifests when the convolution parameters contain values that result in a zero divisor during padding size calculations, creating an exploitable condition that can lead to application crashes or potential denial of service scenarios. According to the CWE classification system, this vulnerability maps to CWE-369: Divide by Zero, which is a well-documented weakness in software security that occurs when a program attempts to divide a number by zero. The operational impact extends beyond simple crashes as this vulnerability can be leveraged by adversaries to disrupt services or potentially execute malicious code within the context of applications that process TFLite models.
The technical implementation flaw occurs within the depthwise convolution function where padding calculations rely on user-provided parameters to determine divisor values for computing required padding sizes. The absence of pre-division validation means that if any convolution parameter evaluates to zero during the padding computation phase, the division operation will fail catastrophically. This particular weakness demonstrates poor defensive programming practices and highlights the importance of input validation in security-critical code paths. The vulnerability is particularly concerning because TFLite models are commonly deployed in mobile applications, embedded systems, and edge devices where such failures can have significant operational consequences. The exploitability of this condition requires an attacker to craft a malicious TFLite model with specifically designed convolution parameters that will trigger the zero division scenario during model execution. This attack vector aligns with ATT&CK technique T1059.001 for command and control through code injection, and T1499.004 for network denial of service, as the vulnerability can be used to disrupt services that rely on TensorFlow inference capabilities.
The security implications of this vulnerability extend across multiple deployment scenarios where TensorFlow is utilized for machine learning inference tasks. Mobile applications, IoT devices, and edge computing solutions that incorporate TFLite models become susceptible to service disruption or system instability when processing maliciously crafted inputs. The affected versions include TensorFlow 2.5.3 through 2.7.1, indicating a substantial portion of the supported release cycle is impacted by this flaw. Organizations using TensorFlow in production environments must urgently assess their exposure to this vulnerability, particularly those deploying TFLite models in mobile applications or edge computing deployments where input validation may be insufficient. The remediation approach involves implementing proper input validation checks before division operations and ensuring that all convolution parameters are validated for mathematical correctness. The fix implementation demonstrates proper software security practices by addressing the root cause through defensive programming techniques that prevent invalid mathematical operations. This vulnerability serves as a reminder of the critical importance of validating all inputs in security-sensitive code paths and highlights the necessity of comprehensive testing procedures that include edge case scenarios. The vulnerability's classification under CWE-369 underscores the fundamental nature of the flaw and its potential for causing system instability, making it a priority for immediate remediation across all affected TensorFlow versions.