CVE-2020-15210: TensorFlow memory corruption

CISO Take

This vulnerability allows a crafted TFLite model file to trigger memory corruption or crash any application running TensorFlow Lite inference. The primary risk is to systems that load externally-supplied or user-provided TFLite model files — patch to TF 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. If your stack runs fixed inference on internal models only, residual risk is low but patching remains mandatory.

What is the risk?

Medium overall, but contextually high for any deployment accepting third-party TFLite model files. CVSS 6.5 with network attack vector and no privileges required is meaningful in model-serving pipelines. High attack complexity (crafting a valid-but-malicious model) prevents script-kiddie exploitation, but a motivated adversary with ML knowledge can reliably reproduce the condition. Availability impact is high (segfault crashes inference service); integrity impact is limited but memory corruption leaves open the possibility of further exploitation in hardened environments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C None

I Low

A High

What should I do?

5 steps

Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — no workaround exists at the operator level.
Enforce model provenance: only load TFLite model files from signed, internally-controlled sources; reject user-supplied or third-party model files until provenance can be verified.
Add process isolation: run TFLite inference in sandboxed processes (containerized, separate user, seccomp) so a segfault cannot cascade to broader service availability.
Monitor for unexpected crashes in inference services — repeated segfaults may indicate active probing.
Audit model-update pipelines (OTA updates, CI/CD model artifacts) to ensure model files are hash-verified before deployment.

How is it classified?

Supply Chain DoS Code Execution Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.6.2.3 - AI system risk treatment A.8.4 - AI system testing

NIST AI RMF

GOVERN-1.2 - Accountability for AI risk management MS-2.5 - Incident response and recovery for AI risks

Frequently Asked Questions

What is CVE-2020-15210?

This vulnerability allows a crafted TFLite model file to trigger memory corruption or crash any application running TensorFlow Lite inference. The primary risk is to systems that load externally-supplied or user-provided TFLite model files — patch to TF 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. If your stack runs fixed inference on internal models only, residual risk is low but patching remains mandatory.

Is CVE-2020-15210 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15210, increasing the risk of exploitation.

How to fix CVE-2020-15210?

1. Patch: upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 — no workaround exists at the operator level. 2. Enforce model provenance: only load TFLite model files from signed, internally-controlled sources; reject user-supplied or third-party model files until provenance can be verified. 3. Add process isolation: run TFLite inference in sandboxed processes (containerized, separate user, seccomp) so a segfault cannot cascade to broader service availability. 4. Monitor for unexpected crashes in inference services — repeated segfaults may indicate active probing. 5. Audit model-update pipelines (OTA updates, CI/CD model artifacts) to ensure model files are hash-verified before deployment.

What systems are affected by CVE-2020-15210?

This vulnerability affects the following AI/ML architecture patterns: TFLite model serving, edge AI inference, mobile AI inference, model loading pipelines, CI/CD model evaluation pipelines.

What is the CVSS score for CVE-2020-15210?

CVE-2020-15210 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.73%.

What is the AI security impact?

Affected AI Architectures

TFLite model servingedge AI inferencemobile AI inferencemodel loading pipelinesCI/CD model evaluation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3, A.8.4

NIST AI RMF: GOVERN-1.2, MS-2.5

What are the technical details?

Original Advisory

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary with knowledge of TFLite model format crafts a malicious .tflite model file where a specific operator is configured with the same tensor ID as both its input and output. The adversary targets an organization running a TFLite-based API endpoint (e.g., mobile backend inference, edge device management console) that accepts custom model uploads for on-device personalization. Upon upload and inference execution, the runtime dereferences the aliased tensor, producing either a segmentation fault — crashing the inference worker — or silent memory corruption that could be further leveraged for limited code execution. In a CI/CD context, injecting this model into an automated model-evaluation pipeline crashes the pipeline runner and delays model releases, constituting a supply chain disruption.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-20 Improper Input Validation

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.