CVE-2020-15209 — MEDIUM (CVSS 5.9) AI Security Vulnerability

CISO Take

A crafted TFLite model file triggers a null pointer dereference by manipulating flatbuffer buffer indices, crashing the inference process. Patch to TF 1.15.4+/2.0.3+/2.1.2+/2.2.1+/2.3.1+—any deployment that loads TFLite models from untrusted sources (users, third-party registries, edge devices) is at DoS risk. No code execution, no data leak—but in production inference pipelines this means availability loss.

Risk Assessment

Medium operational risk. CVSS 5.9 with High attack complexity limits opportunistic exploitation—adversary must understand TFLite flatbuffer serialization to craft the malicious model. Impact is purely availability (A:H), no confidentiality or integrity impact. Risk escalates significantly in scenarios where models are loaded dynamically from external sources: mobile apps with user-uploaded models, inference APIs that accept arbitrary .tflite files, or automated pipelines pulling from public model repositories without integrity verification.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 58% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately. 2) Model provenance control: only load .tflite files from cryptographically signed, internal sources—never from user uploads or unverified registries without validation. 3) Integrity checks: enforce SHA-256 checksums or code-signing on all model artifacts before load. 4) Sandboxing: run TFLite inference in isolated processes/containers so a crash does not cascade to the broader application. 5) Detection: monitor for abnormal inference process crashes/restarts as a potential indicator of malicious model delivery attempts.

Classification

DoS Supply Chain Framework Inference Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Information security measures for AI systems A.8.3 - AI supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to and recover from AI risks MAP 5.1 - Likelihood and magnitude of impacts from AI system failures assessed

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15209?

A crafted TFLite model file triggers a null pointer dereference by manipulating flatbuffer buffer indices, crashing the inference process. Patch to TF 1.15.4+/2.0.3+/2.1.2+/2.2.1+/2.3.1+—any deployment that loads TFLite models from untrusted sources (users, third-party registries, edge devices) is at DoS risk. No code execution, no data leak—but in production inference pipelines this means availability loss.

Is CVE-2020-15209 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15209, increasing the risk of exploitation.

How to fix CVE-2020-15209?

1) Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately. 2) Model provenance control: only load .tflite files from cryptographically signed, internal sources—never from user uploads or unverified registries without validation. 3) Integrity checks: enforce SHA-256 checksums or code-signing on all model artifacts before load. 4) Sandboxing: run TFLite inference in isolated processes/containers so a crash does not cascade to the broader application. 5) Detection: monitor for abnormal inference process crashes/restarts as a potential indicator of malicious model delivery attempts.

What systems are affected by CVE-2020-15209?

This vulnerability affects the following AI/ML architecture patterns: edge inference / mobile deployment, model serving, training pipelines, supply chain / model registry.

What is the CVSS score for CVE-2020-15209?

CVE-2020-15209 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.36%.

Technical Details

NVD Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference. The issue is patched in commit 0b5662bc, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

Adversary crafts a malicious .tflite model file by modifying the flatbuffer serialization to remap a tensor's buffer index from read-only to read-write—pointing to a nullptr-initialized buffer that is never written before read. The adversary distributes this file via a public model hub (e.g., TensorFlow Hub if unverified), a supply chain compromise of an ML pipeline artifact store, or via social engineering (e.g., sending a 'benchmark model' to a target MLOps team). When the target's TFLite runtime loads and executes the model, null pointer dereference triggers, crashing the inference process. In an automated inference API context, repeated delivery of this model causes persistent DoS without any authentication required.