CVE-2020-15208: TensorFlow OOB read/write

CISO Take

TensorFlow Lite releases before 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 allow unauthenticated remote attackers to trigger out-of-bounds memory access by crafting malicious tensor inputs — CVSS 9.8 with no privileges or user interaction required. Any edge, mobile, or server-side inference endpoint accepting external inputs over TFLite is exposed to memory corruption that can lead to RCE or data leakage. Patch immediately; if patching is delayed, isolate TFLite inference endpoints from untrusted network input.

What is the risk?

Severity is critical. The network-accessible attack vector with zero authentication and no user interaction requirements makes this trivially weaponizable against any public-facing TFLite inference service. The root cause — a DCHECK assertion silently disabled in release builds — is a systemic pattern in TensorFlow Lite that likely recurs across the codebase. Exploitation yields memory reads and writes beyond allocated buffers, enabling a skilled attacker to achieve arbitrary code execution on the inference host. Risk is elevated for organizations running edge AI deployments or on-device ML pipelines where patching cycles are long.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 55% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d contains the fix.
DETECT

Audit all TFLite version pins in requirements.txt, Podfile, build.gradle, and Docker images. Run pip show tensorflow and pip show tflite-runtime to identify vulnerable instances.
WORKAROUND (if patching delayed): Enforce strict tensor shape validation in application code before passing inputs to TFLite. Reject requests with unexpected tensor dimensions at the API layer.
ISOLATE

Move TFLite inference behind an internal network boundary if the service does not need to be publicly accessible.
MONITOR

Enable memory safety tooling (AddressSanitizer, Valgrind) in staging to detect exploitation attempts.

How is it classified?

Code Execution Data Extraction Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Management of AI system vulnerabilities

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15208?

TensorFlow Lite releases before 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 allow unauthenticated remote attackers to trigger out-of-bounds memory access by crafting malicious tensor inputs — CVSS 9.8 with no privileges or user interaction required. Any edge, mobile, or server-side inference endpoint accepting external inputs over TFLite is exposed to memory corruption that can lead to RCE or data leakage. Patch immediately; if patching is delayed, isolate TFLite inference endpoints from untrusted network input.

Is CVE-2020-15208 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15208, increasing the risk of exploitation.

How to fix CVE-2020-15208?

1. PATCH: Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d contains the fix. 2. DETECT: Audit all TFLite version pins in requirements.txt, Podfile, build.gradle, and Docker images. Run `pip show tensorflow` and `pip show tflite-runtime` to identify vulnerable instances. 3. WORKAROUND (if patching delayed): Enforce strict tensor shape validation in application code before passing inputs to TFLite. Reject requests with unexpected tensor dimensions at the API layer. 4. ISOLATE: Move TFLite inference behind an internal network boundary if the service does not need to be publicly accessible. 5. MONITOR: Enable memory safety tooling (AddressSanitizer, Valgrind) in staging to detect exploitation attempts.

What systems are affected by CVE-2020-15208?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge AI / embedded inference, mobile ML (on-device), training pipelines, inference pipelines.

What is the CVSS score for CVE-2020-15208?

CVE-2020-15208 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.89%.

What is the AI security impact?

Affected AI Architectures

model servingedge AI / embedded inferencemobile ML (on-device)training pipelinesinference pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue is patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary identifies a web service or mobile backend that accepts user-uploaded images or documents and passes them to a TFLite model for inference (e.g., object detection, OCR, fraud scoring). The attacker crafts a payload where the first tensor's declared dimension is larger than the second tensor's actual allocated buffer. In a release build, the DCHECK is a no-op, so TFLite proceeds with the oversized dimension from tensor one, causing the interpreter to read and write memory beyond the second tensor's bounds. On a server-side inference endpoint this can corrupt adjacent heap objects, enabling control flow hijacking. The attack requires no credentials and no victim interaction — a single malformed HTTP request to the inference endpoint suffices.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read CWE-787 Out-of-bounds Write

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.