CVE-2020-15207 — CRITICAL (CVSS 9.0) AI Security Vulnerability

CISO Take

TensorFlow Lite inference endpoints that accept external inputs are vulnerable to memory corruption through crafted negative axis indices—the bounds check only compiles in debug builds, leaving production deployments exposed. Upgrade to TFLite 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately, prioritizing any edge, mobile, or server-side deployments processing untrusted user inputs. High attack complexity reduces opportunistic risk, but a targeted adversary with TFLite knowledge can reliably trigger out-of-bounds writes.

Risk Assessment

Critical CVSS 9.0 with high attack complexity and no authentication or user interaction required. The scope change vector (C:H/I:H/A:H) indicates potential for full confidentiality, integrity, and availability compromise beyond the TFLite process boundary. Realistic exploitation requires specific knowledge of TFLite op internals and the ability to craft inference inputs with negative axis values, placing this squarely in the hands of a skilled adversary rather than a script kiddie. The lack of CISA KEV listing and no known active exploitation reduces urgency, but unpatched TFLite in production AI pipelines represents an unacceptable risk posture for any organization subject to security audits.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

Severity & Risk

CVSS 3.1

9.0 / 10

EPSS

1.4%

chance of exploitation in 30 days

Higher than 81% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Changed

C High

I High

A High

Recommended Action

1 step

1) Patch: Upgrade tensorflow-lite to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 per your deployment branch. 2) Validate all axis parameter values at inference API boundaries—reject negative integers before they reach TFLite op resolution. 3) Isolate TFLite serving processes in sandboxed environments (seccomp, namespaces, or containers) with ASLR and stack canaries enabled. 4) Alert on abnormal segfaults or crash loops in TFLite serving processes—these may indicate active exploitation attempts. 5) If immediate patching is blocked, apply a WAF/input filter rule rejecting requests containing negative axis values as an interim control.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.3 - AI system security and safety testing

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain effectiveness of risk or impact mitigations

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15207?

TensorFlow Lite inference endpoints that accept external inputs are vulnerable to memory corruption through crafted negative axis indices—the bounds check only compiles in debug builds, leaving production deployments exposed. Upgrade to TFLite 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately, prioritizing any edge, mobile, or server-side deployments processing untrusted user inputs. High attack complexity reduces opportunistic risk, but a targeted adversary with TFLite knowledge can reliably trigger out-of-bounds writes.

Is CVE-2020-15207 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15207, increasing the risk of exploitation.

How to fix CVE-2020-15207?

1) Patch: Upgrade tensorflow-lite to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 per your deployment branch. 2) Validate all axis parameter values at inference API boundaries—reject negative integers before they reach TFLite op resolution. 3) Isolate TFLite serving processes in sandboxed environments (seccomp, namespaces, or containers) with ASLR and stack canaries enabled. 4) Alert on abnormal segfaults or crash loops in TFLite serving processes—these may indicate active exploitation attempts. 5) If immediate patching is blocked, apply a WAF/input filter rule rejecting requests containing negative axis values as an interim control.

What systems are affected by CVE-2020-15207?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge inference, mobile ML deployment, embedded AI systems, inference pipelines.

What is the CVSS score for CVE-2020-15207?

CVE-2020-15207 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 1.41%.

Technical Details

NVD Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An attacker targeting a public TFLite inference API—e.g., an image classification or on-device NLP endpoint—submits a crafted request embedding a tensor operation with a negative axis index. In release builds, the DCHECK bounds check is compiled out. ResolveAxis converts the negative value but produces an invalid positive index; execution proceeds into out-of-bounds memory. Depending on heap layout, the attacker can corrupt adjacent model weights to cause silent mispredictions (stealthy integrity attack), trigger a controlled crash to map memory layout for a follow-on exploit, or—under favorable conditions—achieve code execution within the inference server process and pivot to the underlying host.