CVE-2020-15212: TensorFlow Lite: heap OOB write via segment sum op

HIGH PoC AVAILABLE

Published September 25, 2020

CISO Take

Any system loading untrusted TFLite models with segment sum operations is at risk of heap memory corruption that can be chained into code execution. Upgrade to TensorFlow 2.2.1 or 2.3.1 immediately; if upgrade is blocked, add a model verifier that rejects negative segment IDs. Audit your model ingestion pipelines — if you load third-party or user-supplied TFLite models without validation, assume exploitation is feasible.

What is the risk?

High severity (CVSS 8.6) with network vector, no authentication, and low complexity — meaning any service that loads externally-supplied TFLite models is directly exposed. While this is a 2020 CVE, unpatched TFLite deployments remain common in embedded, mobile, and edge inference stacks that receive infrequent security updates. The CWE-787 out-of-bounds write is chainable with other memory corruption bugs to achieve reliable code execution, elevating practical risk beyond the base score. No CISA KEV listing suggests no confirmed mass exploitation, but the technique is well within reach of motivated actors.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

8.6 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 44% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.2.1 or 2.3.1 (commit 204945b). Check all environments including embedded/edge fleets — these are often missed.
VERIFY

Add a custom TFLite Verifier before model loading that validates all segment IDs are non-negative.
ISOLATE

Run TFLite inference in sandboxed processes (seccomp, containers) to limit blast radius if memory corruption occurs.
AUDIT

Identify all ingestion points where untrusted .tflite models enter your systems (APIs, file uploads, model registries, federated learning pipelines).
DETECT

Monitor for segfaults or abnormal process crashes in inference workers as a signal of active exploitation attempts.

How is it classified?

Code Execution Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security A.8.2 - AI system inputs

NIST AI RMF

GOVERN-1.1 - Policies and processes for AI risk management MANAGE-2.2 - Mechanisms to sustain deployed AI value and manage risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15212?

Is CVE-2020-15212 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15212, increasing the risk of exploitation.

How to fix CVE-2020-15212?

1. PATCH: Upgrade TensorFlow to 2.2.1 or 2.3.1 (commit 204945b). Check all environments including embedded/edge fleets — these are often missed. 2. VERIFY: Add a custom TFLite Verifier before model loading that validates all segment IDs are non-negative. 3. ISOLATE: Run TFLite inference in sandboxed processes (seccomp, containers) to limit blast radius if memory corruption occurs. 4. AUDIT: Identify all ingestion points where untrusted .tflite models enter your systems (APIs, file uploads, model registries, federated learning pipelines). 5. DETECT: Monitor for segfaults or abnormal process crashes in inference workers as a signal of active exploitation attempts.

What systems are affected by CVE-2020-15212?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile ML applications, model serving, training pipelines, embedded AI systems.

What is the CVSS score for CVE-2020-15212?

CVE-2020-15212 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.61%.

What is the AI security impact?

Affected AI Architectures

edge inferencemobile ML applicationsmodel servingtraining pipelinesembedded AI systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.6, A.8.2

NIST AI RMF: GOVERN-1.1, MANAGE-2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `output_data` buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced exploits. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that the segment ids are all positive, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

Exploitation Scenario

An adversary targeting an organization's ML inference API constructs a malicious TFLite model with a segment sum operation containing negative values in the segment_ids tensor. The model passes basic format validation and is accepted by the endpoint. At inference time, TFLite processes the negative segment IDs, computing an invalid output_index that points outside the allocated output_data heap buffer. The resulting write corrupts adjacent heap metadata. The adversary chains this with a heap info-leak to defeat ASLR, then uses a second model inference call to achieve controlled write-what-where, ultimately achieving remote code execution on the model-serving host with the privileges of the inference process.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-787 Out-of-bounds Write

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.