AI Threat Alert AI Threat Alert

CVE-2020-15208: TFLite: OOB read/write via tensor dimension mismatch

CRITICAL PoC AVAILABLE
Published September 25, 2020
CISO Take

TensorFlow Lite releases before 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 allow unauthenticated remote attackers to trigger out-of-bounds memory access by crafting malicious tensor inputs — CVSS 9.8 with no privileges or user interaction required. Any edge, mobile, or server-side inference endpoint accepting external inputs over TFLite is exposed to memory corruption that can lead to RCE or data leakage. Patch immediately; if patching is delayed, isolate TFLite inference endpoints from untrusted network input.

Risk Assessment

Severity is critical. The network-accessible attack vector with zero authentication and no user interaction requirements makes this trivially weaponizable against any public-facing TFLite inference service. The root cause — a DCHECK assertion silently disabled in release builds — is a systemic pattern in TensorFlow Lite that likely recurs across the codebase. Exploitation yields memory reads and writes beyond allocated buffers, enabling a skilled attacker to achieve arbitrary code execution on the inference host. Risk is elevated for organizations running edge AI deployments or on-device ML pipelines where patching cycles are long.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap No patch

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 56% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d contains the fix.

  2. DETECT

    Audit all TFLite version pins in requirements.txt, Podfile, build.gradle, and Docker images. Run pip show tensorflow and pip show tflite-runtime to identify vulnerable instances.

  3. WORKAROUND (if patching delayed): Enforce strict tensor shape validation in application code before passing inputs to TFLite. Reject requests with unexpected tensor dimensions at the API layer.

  4. ISOLATE

    Move TFLite inference behind an internal network boundary if the service does not need to be publicly accessible.

  5. MONITOR

    Enable memory safety tooling (AddressSanitizer, Valgrind) in staging to detect exploitation attempts.

Classification

Code Execution Data Extraction Supply Chain Framework Inference AML.T0010.001 AML.T0040 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Management of AI system vulnerabilities
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15208?

TensorFlow Lite releases before 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 allow unauthenticated remote attackers to trigger out-of-bounds memory access by crafting malicious tensor inputs — CVSS 9.8 with no privileges or user interaction required. Any edge, mobile, or server-side inference endpoint accepting external inputs over TFLite is exposed to memory corruption that can lead to RCE or data leakage. Patch immediately; if patching is delayed, isolate TFLite inference endpoints from untrusted network input.

Is CVE-2020-15208 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15208, increasing the risk of exploitation.

How to fix CVE-2020-15208?

1. PATCH: Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d contains the fix. 2. DETECT: Audit all TFLite version pins in requirements.txt, Podfile, build.gradle, and Docker images. Run `pip show tensorflow` and `pip show tflite-runtime` to identify vulnerable instances. 3. WORKAROUND (if patching delayed): Enforce strict tensor shape validation in application code before passing inputs to TFLite. Reject requests with unexpected tensor dimensions at the API layer. 4. ISOLATE: Move TFLite inference behind an internal network boundary if the service does not need to be publicly accessible. 5. MONITOR: Enable memory safety tooling (AddressSanitizer, Valgrind) in staging to detect exploitation attempts.

What systems are affected by CVE-2020-15208?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge AI / embedded inference, mobile ML (on-device), training pipelines, inference pipelines.

What is the CVSS score for CVE-2020-15208?

CVE-2020-15208 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.33%.

Technical Details

NVD Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue is patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary identifies a web service or mobile backend that accepts user-uploaded images or documents and passes them to a TFLite model for inference (e.g., object detection, OCR, fraud scoring). The attacker crafts a payload where the first tensor's declared dimension is larger than the second tensor's actual allocated buffer. In a release build, the DCHECK is a no-op, so TFLite proceeds with the oversized dimension from tensor one, causing the interpreter to read and write memory beyond the second tensor's bounds. On a server-side inference endpoint this can corrupt adjacent heap objects, enabling control flow hijacking. The attack requires no credentials and no victim interaction — a single malformed HTTP request to the inference endpoint suffices.

Weaknesses (CWE)

CWE-125 CWE-787

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-35939 9.8

TensorFlow: ScatterNd OOB write enables RCE/crash

Same package: tensorflow
Back to Threat Feed