CVE-2020-15195: TensorFlow heap overflow

CISO Take

Any TensorFlow deployment below versions 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 that processes sparse tensors—whether in training or serving—is vulnerable to heap buffer overflow exploitable by a low-privileged network attacker. Patch immediately; no workaround neutralizes the underlying memory corruption. Audit your ML infrastructure inventory now—unpatched TF instances represent a known, multi-year exposure with public exploit details.

What is the risk?

High risk for organizations running TensorFlow Serving APIs accessible to authenticated-but-untrusted users, or operating multi-tenant ML training platforms. CVSS 8.8 with network vector and low privilege requirement makes this broadly exploitable without user interaction. Although published in 2020, organizations with unmanaged ML dependency sprawl or containerized training infrastructure running pinned-old TF versions remain exposed. No KEV listing but public PoC exists via GitHub advisory.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 56% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 across all environments (dev, staging, prod).
AUDIT

Run dependency scan across containerized ML workloads—pinned base images frequently carry stale TF versions.
NETWORK ISOLATION

Restrict TensorFlow Serving endpoints to internal network segments; eliminate public-facing inference APIs where not business-critical.
INPUT VALIDATION

Enforce server-side bounds checking on sparse tensor indices before forwarding to TF ops.
MONITOR

Alert on anomalous ML worker crashes or OOM events—heap corruption precedes successful exploitation with observable signals.

How is it classified?

Code Execution Supply Chain Framework Inference Training Data AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Risk response mechanisms for AI systems

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15195?

Any TensorFlow deployment below versions 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 that processes sparse tensors—whether in training or serving—is vulnerable to heap buffer overflow exploitable by a low-privileged network attacker. Patch immediately; no workaround neutralizes the underlying memory corruption. Audit your ML infrastructure inventory now—unpatched TF instances represent a known, multi-year exposure with public exploit details.

Is CVE-2020-15195 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15195, increasing the risk of exploitation.

How to fix CVE-2020-15195?

1. PATCH: Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 across all environments (dev, staging, prod). 2. AUDIT: Run dependency scan across containerized ML workloads—pinned base images frequently carry stale TF versions. 3. NETWORK ISOLATION: Restrict TensorFlow Serving endpoints to internal network segments; eliminate public-facing inference APIs where not business-critical. 4. INPUT VALIDATION: Enforce server-side bounds checking on sparse tensor indices before forwarding to TF ops. 5. MONITOR: Alert on anomalous ML worker crashes or OOM events—heap corruption precedes successful exploitation with observable signals.

What systems are affected by CVE-2020-15195?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, recommendation system pipelines, multi-tenant ML platforms, NLP sparse embedding pipelines.

What is the CVSS score for CVE-2020-15195?

CVE-2020-15195 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.94%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingrecommendation system pipelinesmulti-tenant ML platformsNLP sparse embedding pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary with valid credentials to a TensorFlow Serving gRPC/REST endpoint submits a crafted predict request containing a sparse tensor where reverse_index_map holds out-of-bounds indices relative to grad_values. During backward-pass computation in SparseFillEmptyRowsGrad, TensorFlow dereferences these indices beyond heap-allocated buffer boundaries. The resulting heap corruption can be weaponized to achieve arbitrary code execution on the serving node—enabling the attacker to exfiltrate proprietary model weights, inject backdoored model artifacts into the serving pipeline, or pivot to internal training infrastructure connected to the same network segment.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 Heap-based Buffer Overflow

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.