AI Threat Alert

CVE-2020-15209: TensorFlow Lite: null ptr deref crashes model inference

MEDIUM PoC AVAILABLE
Published September 25, 2020
CISO Take

A crafted TFLite model file triggers a null pointer dereference by manipulating flatbuffer buffer indices, crashing the inference process. Patch to TF 1.15.4+/2.0.3+/2.1.2+/2.2.1+/2.3.1+—any deployment that loads TFLite models from untrusted sources (users, third-party registries, edge devices) is at DoS risk. No code execution, no data leak—but in production inference pipelines this means availability loss.

What is the risk?

Medium operational risk. CVSS 5.9 with High attack complexity limits opportunistic exploitation—adversary must understand TFLite flatbuffer serialization to craft the malicious model. Impact is purely availability (A:H), no confidentiality or integrity impact. Risk escalates significantly in scenarios where models are loaded dynamically from external sources: mobile apps with user-uploaded models, inference APIs that accept arbitrary .tflite files, or automated pipelines pulling from public model repositories without integrity verification.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap No patch

How severe is it?

CVSS 3.1
5.9 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 52% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

1 step

  1. 1) Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately. 2) Model provenance control: only load .tflite files from cryptographically signed, internal sources—never from user uploads or unverified registries without validation. 3) Integrity checks: enforce SHA-256 checksums or code-signing on all model artifacts before load. 4) Sandboxing: run TFLite inference in isolated processes/containers so a crash does not cascade to the broader application. 5) Detection: monitor for abnormal inference process crashes/restarts as a potential indicator of malicious model delivery attempts.

How is it classified?

DoS Supply Chain Framework Inference Model AML.T0010.003 AML.T0011.000 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Information security measures for AI systems A.8.3 - AI supply chain
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to and recover from AI risks MAP 5.1 - Likelihood and magnitude of impacts from AI system failures assessed
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15209?

A crafted TFLite model file triggers a null pointer dereference by manipulating flatbuffer buffer indices, crashing the inference process. Patch to TF 1.15.4+/2.0.3+/2.1.2+/2.2.1+/2.3.1+—any deployment that loads TFLite models from untrusted sources (users, third-party registries, edge devices) is at DoS risk. No code execution, no data leak—but in production inference pipelines this means availability loss.

Is CVE-2020-15209 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15209, increasing the risk of exploitation.

How to fix CVE-2020-15209?

1) Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 immediately. 2) Model provenance control: only load .tflite files from cryptographically signed, internal sources—never from user uploads or unverified registries without validation. 3) Integrity checks: enforce SHA-256 checksums or code-signing on all model artifacts before load. 4) Sandboxing: run TFLite inference in isolated processes/containers so a crash does not cascade to the broader application. 5) Detection: monitor for abnormal inference process crashes/restarts as a potential indicator of malicious model delivery attempts.

What systems are affected by CVE-2020-15209?

This vulnerability affects the following AI/ML architecture patterns: edge inference / mobile deployment, model serving, training pipelines, supply chain / model registry.

What is the CVSS score for CVE-2020-15209?

CVE-2020-15209 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.80%.

What is the AI security impact?

Affected AI Architectures

edge inference / mobile deploymentmodel servingtraining pipelinessupply chain / model registry

MITRE ATLAS Techniques

AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3, A.8.3
NIST AI RMF: MANAGE 2.2, MAP 5.1
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference. The issue is patched in commit 0b5662bc, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

Adversary crafts a malicious .tflite model file by modifying the flatbuffer serialization to remap a tensor's buffer index from read-only to read-write—pointing to a nullptr-initialized buffer that is never written before read. The adversary distributes this file via a public model hub (e.g., TensorFlow Hub if unverified), a supply chain compromise of an ML pipeline artifact store, or via social engineering (e.g., sending a 'benchmark model' to a target MLOps team). When the target's TFLite runtime loads and executes the model, null pointer dereference triggers, crashing the inference process. In an automated inference API context, repeated delivery of this model causes persistent DoS without any authentication required.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed