CVE-2026-42627 Overview
CVE-2026-42627 is an integer overflow vulnerability in Arm ArmNN through 2026-03-27. The flaw resides in TensorShape::GetNumElements() within armnn/Tensor.cpp. A crafted TensorFlow Lite (TFLite) model file can bypass buffer size validation and trigger a heap-based buffer over-read during model optimization. The overflow occurs when tensor dimensions are multiplied using 32-bit unsigned arithmetic without overflow detection, causing GetNumBytes() to return an understated allocation size. During Optimize()->InferOutputShapes(), the BatchToSpaceNdLayer reads beyond the allocated buffer. This vulnerability is tracked under [CWE-190] (Integer Overflow or Wraparound).
Critical Impact
A local attacker can supply a malicious TFLite model that causes ArmNN to read past heap buffer boundaries, resulting in application crash and denial of service during model optimization.
Affected Products
- Arm ArmNN through 2026-03-27
- ArmNN TFLite Parser (armnnTfLiteParser/TfLiteParser.cpp)
- Applications embedding ArmNN for on-device inference
Discovery Timeline
- 2026-05-22 - CVE-2026-42627 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-42627
Vulnerability Analysis
The vulnerability stems from unchecked 32-bit unsigned multiplication when computing the total element count of a tensor. TensorShape::GetNumElements() iterates across tensor dimensions and multiplies them together. When a crafted TFLite model declares dimensions whose product exceeds UINT32_MAX, the result wraps around to a small value. Downstream, GetNumBytes() consumes this truncated count to determine allocation size, returning a buffer far smaller than the logical tensor requires.
During model optimization, Optimize() invokes InferOutputShapes() on each layer. The BatchToSpaceNdLayer then operates on this undersized allocation while indexing using the attacker-controlled, non-wrapped dimensional logic. The result is a heap-based buffer over-read that corrupts process state and crashes the host application.
Root Cause
The root cause is the absence of overflow detection during dimension multiplication in Tensor.cpp. The arithmetic relies on the native width of uint32_t without checked-multiplication primitives or pre-multiplication validation against UINT32_MAX. Buffer size validation in the TFLite parser cannot detect the discrepancy because it trusts the wrapped result.
Attack Vector
Exploitation requires local delivery of a malicious TFLite model to a process that uses ArmNN for inference or model optimization. The attacker controls the tensor shape metadata embedded in the FlatBuffers-encoded model. No authentication or user interaction is required beyond loading the model. The impact is restricted to availability — the over-read does not yield confidentiality or integrity loss based on the published CVSS profile.
The vulnerability manifests during the optimization pass, not at parse time, so superficial schema validation does not mitigate the issue. See the ArmNN Tensor source and TFLite parser source for the affected code paths.
Detection Methods for CVE-2026-42627
Indicators of Compromise
- Unexpected crashes or SIGSEGV terminations in processes linking against libarmnn.so during model load or optimization.
- TFLite model files containing tensor shape dimensions whose product exceeds UINT32_MAX (for example, multiple dimensions near 2^16 or above).
- Core dumps showing fault addresses inside BatchToSpaceNdLayer::InferOutputShapes or adjacent ArmNN optimization routines.
Detection Strategies
- Scan stored and incoming TFLite models for tensors whose dimensional product overflows 32-bit arithmetic before passing them to ArmNN.
- Run ArmNN-consuming workloads under AddressSanitizer (ASan) in pre-production to surface heap over-reads triggered by malformed models.
- Monitor application crash telemetry for repeated faults correlated with specific model hashes or model-loading endpoints.
Monitoring Recommendations
- Log every TFLite model load with a SHA-256 hash and source identifier to enable retroactive triage.
- Alert on abnormal process termination rates for inference services that accept user-supplied models.
- Track ArmNN library versions across endpoints and ML build pipelines to confirm patch coverage.
How to Mitigate CVE-2026-42627
Immediate Actions Required
- Restrict TFLite model ingestion to trusted, signed sources until a patched ArmNN release is deployed.
- Sandbox or isolate processes that perform model optimization so a crash does not affect adjacent services.
- Add a pre-validation step that rejects models whose tensor dimensions overflow 64-bit-promoted multiplication.
Patch Information
No vendor patch URL is published in the NVD record at the time of writing. Monitor the ArmNN repository for commits to src/armnn/Tensor.cpp that introduce checked multiplication in TensorShape::GetNumElements(). Rebuild and redistribute ArmNN-linked applications once a fixed release is available.
Workarounds
- Implement a wrapper around armnnTfLiteParser that validates each tensor's dimensional product against UINT32_MAX using 64-bit arithmetic prior to invoking Optimize().
- Disable acceptance of externally supplied TFLite models in deployments where on-device inference uses only first-party models.
- Apply OS-level resource limits and seccomp filters to inference processes to contain crash impact.
# Configuration example: reject TFLite models with overflowing tensor dimensions
# Pseudocode validation prior to ArmNN Optimize()
# for each tensor in model.tensors:
# product = 1 (uint64_t)
# for dim in tensor.shape:
# product *= dim
# if product > 0xFFFFFFFF:
# reject_model()
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
