What is GHSA-cf4x-r2x9-wwh2?

GHSA-cf4x-r2x9-wwh2 is a security advisory published by GitHub Security Advisories with Medium severity. In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn...

Which CVE IDs does GHSA-cf4x-r2x9-wwh2 cover?

GHSA-cf4x-r2x9-wwh2 covers the following CVE IDs: CVE-2026-42627. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-cf4x-r2x9-wwh2?

GHSA-cf4x-r2x9-wwh2 has a CVSS v3 base score of 6.2, published by GitHub Security Advisories.

GHSA-cf4x-r2x9-wwh2MediumCVSS 6.2

In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-42627 →

📋 Description

In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn/Tensor.cpp allows a crafted TFLite model file to bypass buffer size validation and trigger a heap-based buffer over-read during model optimization. The overflow occurs when multiplying tensor dimensions using 32-bit unsigned arithmetic without overflow detection, causing GetNumBytes() to return an understated allocation size. During Optimize()->InferOutputShapes(), the BatchToSpaceNdLayer reads beyond the allocated buffer.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-42627
https://github.com/ARM-software/armnn/blob/main/src/armnn/Tensor.cpp
https://github.com/ARM-software/armnn/blob/main/src/armnnTfLiteParser/TfLiteParser.cpp
https://github.com/advisories/GHSA-cf4x-r2x9-wwh2