Issue type
Bug
Have you reproduced the bug with TensorFlow Nightly?
Yes
Source
source
TensorFlow version
2.21.0
Custom code
Yes
OS platform and distribution
Linux kali 6.18.12+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.18.12-1kali1 (2026-02-25) x86_64 GNU/Linux
Mobile device
No response
Python version
Python 3.13.12
Bazel version
No response
GCC/compiler version
No response
CUDA/cuDNN version
No response
GPU model and memory
No response
Current behavior?
A vulnerability exists in the TensorFlow tf.data pipeline within the InterleaveDatasetOp kernel. The parameter cycle_length lacks an upper-bound validation in tensorflow/core/kernels/data/interleave_dataset_op.cc. When a user provides an excessively large value (e.g., INT64_MAX), it causes an integer overflow or invalid state during the internal modulo operation. This leads to an out-of-bounds memory access on the heap, resulting in a Segmentation Fault (SIGSEGV).
Repository: github.com/tensorflow/tensorflow
File: tensorflow/core/kernels/data/interleave_dataset_op.cc
Analysis: Lines 792–799 parse the cycle_length but only check if it is greater than zero. No maximum threshold is enforced.
The vulnerability is triggered when the iterator attempts to cycle through datasets using an overflowed index. In a Linux environment (Kali/Ubuntu), this results in an immediate process crash.
exploit.py
Reporter: Kritik Bhattarai
Standalone code to reproduce the issue
Steps to Reproduce:
Save the attached exploit.py to your local machine.
Ensure TensorFlow is installed: pip install tensorflow.
Run the script: python3 exploit.py.
The Python process terminates with a Segmentation fault. Kernel Logs (dmesg): python3[23933]: segfault at 70 ip 000000000054485d sp 00007ffc0c197278 error 4 in python3.13
This is a high-severity Denial of Service (DoS) and potential Memory Corruption issue. As TensorFlow is widely used in shared environments (Google Vertex AI, Kaggle, and production inference servers), an attacker can provide a maliciously crafted dataset configuration to crash the hosting infrastructure or potentially achieve arbitrary code execution via heap corruption.
This report concerns the TensorFlow core repository (github.com/tensorflow/tensorflow), which is explicitly listed as a high-priority target in the Google Open Source VRP rules
Note: I already Reported This in Google Bug Hunters Oss Vrp Program But This Goes To Intend Behavior So I Reported Here
Relevant log output
The Python process terminates with a Segmentation fault. Kernel Logs (dmesg): python3[23933]: segfault at 70 ip 000000000054485d sp 00007ffc0c197278 error 4 in python3.13
Issue type
Bug
Have you reproduced the bug with TensorFlow Nightly?
Yes
Source
source
TensorFlow version
2.21.0
Custom code
Yes
OS platform and distribution
Linux kali 6.18.12+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.18.12-1kali1 (2026-02-25) x86_64 GNU/Linux
Mobile device
No response
Python version
Python 3.13.12
Bazel version
No response
GCC/compiler version
No response
CUDA/cuDNN version
No response
GPU model and memory
No response
Current behavior?
A vulnerability exists in the TensorFlow tf.data pipeline within the InterleaveDatasetOp kernel. The parameter cycle_length lacks an upper-bound validation in tensorflow/core/kernels/data/interleave_dataset_op.cc. When a user provides an excessively large value (e.g., INT64_MAX), it causes an integer overflow or invalid state during the internal modulo operation. This leads to an out-of-bounds memory access on the heap, resulting in a Segmentation Fault (SIGSEGV).
Repository: github.com/tensorflow/tensorflow
File: tensorflow/core/kernels/data/interleave_dataset_op.cc
Analysis: Lines 792–799 parse the cycle_length but only check if it is greater than zero. No maximum threshold is enforced.
The vulnerability is triggered when the iterator attempts to cycle through datasets using an overflowed index. In a Linux environment (Kali/Ubuntu), this results in an immediate process crash.
exploit.py
Reporter: Kritik Bhattarai
Standalone code to reproduce the issue
Relevant log output
The Python process terminates with a Segmentation fault. Kernel Logs (dmesg): python3[23933]: segfault at 70 ip 000000000054485d sp 00007ffc0c197278 error 4 in python3.13