AI Threat Alert

CVE-2020-15204: TensorFlow: null ptr deref DoS in eager mode ops

MEDIUM PoC AVAILABLE
Published September 25, 2020
CISO Take

Network-accessible TensorFlow instances running in eager mode can be crashed by any unauthenticated attacker by invoking GetSessionHandle ops, causing a denial-of-service. Patch to TF 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately. If patching is delayed, restrict network access to TensorFlow Serving endpoints and block raw op exposure at the API gateway level.

What is the risk?

Medium risk (CVSS 5.3). The attack is trivially exploitable—no authentication, no user interaction, low complexity over the network—but impact is limited to partial availability loss. Not in CISA KEV and no evidence of active exploitation. Primary concern is operational disruption to ML inference services rather than data breach or system compromise. Deployments with internet-facing TF Serving instances carry the highest operational risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap No patch

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 55% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A Low

What should I do?

4 steps

  1. Patch: Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

  2. Workaround: Restrict network access to TensorFlow Serving endpoints via firewall; block access to raw ops endpoints if not operationally required.

  3. Detection: Monitor for unexpected process crashes or segmentation faults in TF serving and inference logs—repeated crashes from the same source IP are a strong indicator.

  4. Audit: Inventory all TF deployments and their network exposure, prioritizing internet-facing instances for immediate patching.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
8.4 - AI System Operation
NIST AI RMF
MANAGE-2.2 - Mechanisms to Manage AI Risks

Frequently Asked Questions

What is CVE-2020-15204?

Network-accessible TensorFlow instances running in eager mode can be crashed by any unauthenticated attacker by invoking GetSessionHandle ops, causing a denial-of-service. Patch to TF 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately. If patching is delayed, restrict network access to TensorFlow Serving endpoints and block raw op exposure at the API gateway level.

Is CVE-2020-15204 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15204, increasing the risk of exploitation.

How to fix CVE-2020-15204?

1. Patch: Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. 2. Workaround: Restrict network access to TensorFlow Serving endpoints via firewall; block access to raw ops endpoints if not operationally required. 3. Detection: Monitor for unexpected process crashes or segmentation faults in TF serving and inference logs—repeated crashes from the same source IP are a strong indicator. 4. Audit: Inventory all TF deployments and their network exposure, prioritizing internet-facing instances for immediate patching.

What systems are affected by CVE-2020-15204?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference, training pipelines.

What is the CVSS score for CVE-2020-15204?

CVE-2020-15204 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.90%.

What is the AI security impact?

Affected AI Architectures

model servinginferencetraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 8.4
NIST AI RMF: MANAGE-2.2

What are the technical details?

Original Advisory

In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An attacker discovers a TensorFlow Serving or custom TF inference API endpoint exposed over the internet. Without any credentials, they craft a request that invokes tf.raw_ops.GetSessionHandle (or GetSessionHandleV2) while the runtime is in eager mode. Since eager mode does not initialize session state, ctx->session_state() returns nullptr; the immediate dereference causes a segmentation fault, crashing the TensorFlow process and taking down the inference service. Any ML-dependent application relying on that endpoint is disrupted until ops staff manually restart the service—enabling repeated, low-effort availability attacks.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed