CVE-2020-15210 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

This vulnerability allows a crafted TFLite model file to trigger memory corruption or crash any application running TensorFlow Lite inference. The primary risk is to systems that load externally-supplied or user-provided TFLite model files — patch to TF 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. If your stack runs fixed inference on internal models only, residual risk is low but patching remains mandatory.

Risk Assessment

Medium overall, but contextually high for any deployment accepting third-party TFLite model files. CVSS 6.5 with network attack vector and no privileges required is meaningful in model-serving pipelines. High attack complexity (crafting a valid-but-malicious model) prevents script-kiddie exploitation, but a motivated adversary with ML knowledge can reliably reproduce the condition. Availability impact is high (segfault crashes inference service); integrity impact is limited but memory corruption leaves open the possibility of further exploitation in hardened environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 56% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C None

I Low

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — no workaround exists at the operator level.
Enforce model provenance: only load TFLite model files from signed, internally-controlled sources; reject user-supplied or third-party model files until provenance can be verified.
Add process isolation: run TFLite inference in sandboxed processes (containerized, separate user, seccomp) so a segfault cannot cascade to broader service availability.
Monitor for unexpected crashes in inference services — repeated segfaults may indicate active probing.
Audit model-update pipelines (OTA updates, CI/CD model artifacts) to ensure model files are hash-verified before deployment.

Classification

Supply Chain DoS Code Execution Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.6.2.3 - AI system risk treatment A.8.4 - AI system testing

NIST AI RMF

GOVERN-1.2 - Accountability for AI risk management MS-2.5 - Incident response and recovery for AI risks

Frequently Asked Questions

What is CVE-2020-15210?

This vulnerability allows a crafted TFLite model file to trigger memory corruption or crash any application running TensorFlow Lite inference. The primary risk is to systems that load externally-supplied or user-provided TFLite model files — patch to TF 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. If your stack runs fixed inference on internal models only, residual risk is low but patching remains mandatory.

Is CVE-2020-15210 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15210, increasing the risk of exploitation.

How to fix CVE-2020-15210?

1. Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — no workaround exists at the operator level. 2. Enforce model provenance: only load TFLite model files from signed, internally-controlled sources; reject user-supplied or third-party model files until provenance can be verified. 3. Add process isolation: run TFLite inference in sandboxed processes (containerized, separate user, seccomp) so a segfault cannot cascade to broader service availability. 4. Monitor for unexpected crashes in inference services — repeated segfaults may indicate active probing. 5. Audit model-update pipelines (OTA updates, CI/CD model artifacts) to ensure model files are hash-verified before deployment.

What systems are affected by CVE-2020-15210?

This vulnerability affects the following AI/ML architecture patterns: TFLite model serving, edge AI inference, mobile AI inference, model loading pipelines, CI/CD model evaluation pipelines.

What is the CVSS score for CVE-2020-15210?

CVE-2020-15210 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.33%.

Technical Details

NVD Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary with knowledge of TFLite model format crafts a malicious .tflite model file where a specific operator is configured with the same tensor ID as both its input and output. The adversary targets an organization running a TFLite-based API endpoint (e.g., mobile backend inference, edge device management console) that accepts custom model uploads for on-device personalization. Upon upload and inference execution, the runtime dereferences the aliased tensor, producing either a segmentation fault — crashing the inference worker — or silent memory corruption that could be further leveraged for limited code execution. In a CI/CD context, injecting this model into an automated model-evaluation pipeline crashes the pipeline runner and delays model releases, constituting a supply chain disruption.