{"id":"CVE-2019-16778","details":"In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case data_size and num_segments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. This is unlikely to be exploitable and was detected and fixed internally in TensorFlow 1.15 and 2.0.","aliases":["GHSA-844w-j86r-4x2j","PYSEC-2019-209","PYSEC-2019-227","PYSEC-2019-234"],"modified":"2026-04-11T12:42:16.974659Z","published":"2019-12-16T21:15:11.403Z","related":["GHSA-844w-j86r-4x2j"],"references":[{"type":"ADVISORY","url":"https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-002.md"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-844w-j86r-4x2j"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/tensorflow","events":[{"introduced":"07bb8ea2379bd459832b23951fb20ec47f3fdbd4"},{"fixed":"590d6eef7e91a6a7392c8ffffb7b58f2e0c8bc6b"},{"fixed":"db4f9717c41bccc3ce10099ab61996b246099892"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"1.15.0"}]}}],"database_specific":{"vanir_signatures":[{"signature_version":"v1","target":{"function":"UnsortedSegmentCustomKernel","file":"tensorflow/core/kernels/segment_reduction_ops_gpu.cu.cc"},"source":"https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892","deprecated":false,"signature_type":"Function","digest":{"length":587,"function_hash":"266894416459361751620089497165734716131"},"id":"CVE-2019-16778-3e415c80"},{"signature_version":"v1","target":{"file":"tensorflow/core/kernels/segment_reduction_ops.h"},"source":"https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["6331943894980170858317685863833019921","214045140222777259402560935204409547022","325949159944068704645175937099705523434","217103848399254908549452665988682354306","36609377068039595622747933847199008210","303981863166469280781391800200062441955","135573884173473358802937650600170517754"]},"id":"CVE-2019-16778-4e560553"},{"signature_version":"v1","target":{"file":"tensorflow/core/kernels/segment_reduction_ops.cc"},"source":"https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["235808693327189569773861597970002535008","233840798026001491035449614171210650261","297236745294115179364218354575228198905","217103848399254908549452665988682354306","138171583532476712804643446649285637055","131438787052235017093187079144201496341","217587043612413161713395564627822427757","53898417695724250738386203698104109303","231774044929129441942408657734919873581","140085148330711797794822886821193955800","15495048468221142250885038703526623930","224724561869747404585048890080141808440","35978388368913015282323042689977567452","101151445395358462602359746539746681306","307500103657767808926503624762076338352","80536324588068045439065565551699926686","209722453098834018287566370706714234702","83735232936593708566606704657904030171","314847732684356313379879494794964162171","105669561747146498072531413962649791404","172522443652807291382493424283539300604","179629018600915798836450332928215706766","62604986084811498261860577393949968283","28615251482390868241522251138091267201","84524174550741019855421470326922165764","109034631481903650929940682251329303444","143075626819419434934623976388550016838","64740571689536485805738928248049143986","30327033083339852320058392098391597674"]},"id":"CVE-2019-16778-586ec0b3"},{"signature_version":"v1","target":{"file":"tensorflow/core/kernels/segment_reduction_ops_gpu.cu.cc"},"source":"https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["241834037666819623320381953616657334415","90585862458611126869396751146719075224","284872941290040171933256608605664435682","245293425034819623005819707696611218443","239371226030914074137771114425101515639","111607732684104047069398367905718721602","255157576971051492744535599527380196849","127353723193930900676794857139839437423","270038944708426845955823256494207787275","186210706438643820419605026626225513271","195993372722558603778323033966360693538","128526609872678751648941912773596740388","32042473063003910688910450257822399593","316191027526243402032719468774352395646","23743177690187600005788207380750594215","294443632435942355517383844715153726745","198653707757938920082634171977107565854","25438555418510026969656707757172142427","209584356186833386283873667078455028045","80544102889775894229518500146424714561","117099923301638954517171633816362339360","217103848399254908549452665988682354306","138171583532476712804643446649285637055","291877326891371503454283783598949437601","164966773204095387073122954974107991607","192173673991019347476596747105667313908","319670334364595086588422219931456447943","92539266289901056658407397414959215628","171650989323595829624457831776727401695","327747886273491899192655896882347191672","201095175880604228994003679729554042810","191470641991708592979612823657418492473","70168493943418284232543547624190868968","76017820953141862933367634066537409660","242227575524681261580486205135821626686","335358723786867363265519041459636314861","16070661091722372647900024146014514860","123141785934739425068917517220333006988","152544555879643756162346618460030209319","337318988659652004145975253244355674786"]},"id":"CVE-2019-16778-658cad4b"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16778.json","vanir_signatures_modified":"2026-04-11T12:42:16Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}