CVE-2026-42627

Name of the Vulnerable Software and Affected Versions Arm ArmNN versions prior to 2026-03-28

Description An integer overflow exists in the TensorShape::GetNumElements() function within armnn/Tensor.cpp. This occurs when tensor dimensions are multiplied using 32-bit unsigned arithmetic without overflow detection, leading the GetNumBytes() function to return an understated allocation size. A crafted TFLite model file can exploit this to bypass buffer size validation, triggering a heap-based buffer over-read during model optimization. Specifically, the BatchToSpaceNdLayer reads beyond the allocated buffer during the Optimize()->InferOutputShapes() process.

Recommendations Update to a version released after 2026-03-27.