CVE-2020-15207: TensorFlow OOB write

CISO Take

TensorFlow Lite inference endpoints that accept external inputs are vulnerable to memory corruption through crafted negative axis indices—the bounds check only compiles in debug builds, leaving production deployments exposed. Upgrade to TFLite 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately, prioritizing any edge, mobile, or server-side deployments processing untrusted user inputs. High attack complexity reduces opportunistic risk, but a targeted adversary with TFLite knowledge can reliably trigger out-of-bounds writes.

What is the risk?

Critical CVSS 9.0 with high attack complexity and no authentication or user interaction required. The scope change vector (C:H/I:H/A:H) indicates potential for full confidentiality, integrity, and availability compromise beyond the TFLite process boundary. Realistic exploitation requires specific knowledge of TFLite op internals and the ability to craft inference inputs with negative axis values, placing this squarely in the hands of a skilled adversary rather than a script kiddie. The lack of CISA KEV listing and no known active exploitation reduces urgency, but unpatched TFLite in production AI pipelines represents an unacceptable risk posture for any organization subject to security audits.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

How severe is it?

CVSS 3.1

9.0 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 65% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI None

S Changed

C High

I High

A High

What should I do?

1 step

1) Patch: Upgrade tensorflow-lite to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 per your deployment branch. 2) Validate all axis parameter values at inference API boundaries—reject negative integers before they reach TFLite op resolution. 3) Isolate TFLite serving processes in sandboxed environments (seccomp, namespaces, or containers) with ASLR and stack canaries enabled. 4) Alert on abnormal segfaults or crash loops in TFLite serving processes—these may indicate active exploitation attempts. 5) If immediate patching is blocked, apply a WAF/input filter rule rejecting requests containing negative axis values as an interim control.

How is it classified?

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.3 - AI system security and safety testing

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain effectiveness of risk or impact mitigations

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15207?

TensorFlow Lite inference endpoints that accept external inputs are vulnerable to memory corruption through crafted negative axis indices—the bounds check only compiles in debug builds, leaving production deployments exposed. Upgrade to TFLite 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately, prioritizing any edge, mobile, or server-side deployments processing untrusted user inputs. High attack complexity reduces opportunistic risk, but a targeted adversary with TFLite knowledge can reliably trigger out-of-bounds writes.

Is CVE-2020-15207 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15207, increasing the risk of exploitation.

How to fix CVE-2020-15207?

1) Patch: Upgrade tensorflow-lite to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 per your deployment branch. 2) Validate all axis parameter values at inference API boundaries—reject negative integers before they reach TFLite op resolution. 3) Isolate TFLite serving processes in sandboxed environments (seccomp, namespaces, or containers) with ASLR and stack canaries enabled. 4) Alert on abnormal segfaults or crash loops in TFLite serving processes—these may indicate active exploitation attempts. 5) If immediate patching is blocked, apply a WAF/input filter rule rejecting requests containing negative axis values as an interim control.

What systems are affected by CVE-2020-15207?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge inference, mobile ML deployment, embedded AI systems, inference pipelines.

What is the CVSS score for CVE-2020-15207?

CVE-2020-15207 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 1.23%.

What is the AI security impact?

Affected AI Architectures

model servingedge inferencemobile ML deploymentembedded AI systemsinference pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.8.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An attacker targeting a public TFLite inference API—e.g., an image classification or on-device NLP endpoint—submits a crafted request embedding a tensor operation with a negative axis index. In release builds, the DCHECK bounds check is compiled out. ResolveAxis converts the negative value but produces an invalid positive index; execution proceeds into out-of-bounds memory. Depending on heap layout, the attacker can corrupt adjacent model weights to cause silent mispredictions (stealthy integrity attack), trigger a controlled crash to map memory layout for a follow-on exploit, or—under favorable conditions—achieve code execution within the inference server process and pivot to the underlying host.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.