AI Threat Alert AI Threat Alert

CVE-2020-15212: TensorFlow Lite: heap OOB write via segment sum op

HIGH PoC AVAILABLE
Published September 25, 2020
CISO Take

Any system loading untrusted TFLite models with segment sum operations is at risk of heap memory corruption that can be chained into code execution. Upgrade to TensorFlow 2.2.1 or 2.3.1 immediately; if upgrade is blocked, add a model verifier that rejects negative segment IDs. Audit your model ingestion pipelines — if you load third-party or user-supplied TFLite models without validation, assume exploitation is feasible.

Risk Assessment

High severity (CVSS 8.6) with network vector, no authentication, and low complexity — meaning any service that loads externally-supplied TFLite models is directly exposed. While this is a 2020 CVE, unpatched TFLite deployments remain common in embedded, mobile, and edge inference stacks that receive infrequent security updates. The CWE-787 out-of-bounds write is chainable with other memory corruption bugs to achieve reliable code execution, elevating practical risk beyond the base score. No CISA KEV listing suggests no confirmed mass exploitation, but the technique is well within reach of motivated actors.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
8.6 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 47% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I Low
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade TensorFlow to 2.2.1 or 2.3.1 (commit 204945b). Check all environments including embedded/edge fleets — these are often missed.

  2. VERIFY

    Add a custom TFLite Verifier before model loading that validates all segment IDs are non-negative.

  3. ISOLATE

    Run TFLite inference in sandboxed processes (seccomp, containers) to limit blast radius if memory corruption occurs.

  4. AUDIT

    Identify all ingestion points where untrusted .tflite models enter your systems (APIs, file uploads, model registries, federated learning pipelines).

  5. DETECT

    Monitor for segfaults or abnormal process crashes in inference workers as a signal of active exploitation attempts.

Classification

Code Execution Supply Chain Framework Inference Model AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - AI system security A.8.2 - AI system inputs
NIST AI RMF
GOVERN-1.1 - Policies and processes for AI risk management MANAGE-2.2 - Mechanisms to sustain deployed AI value and manage risks
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15212?

Any system loading untrusted TFLite models with segment sum operations is at risk of heap memory corruption that can be chained into code execution. Upgrade to TensorFlow 2.2.1 or 2.3.1 immediately; if upgrade is blocked, add a model verifier that rejects negative segment IDs. Audit your model ingestion pipelines — if you load third-party or user-supplied TFLite models without validation, assume exploitation is feasible.

Is CVE-2020-15212 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15212, increasing the risk of exploitation.

How to fix CVE-2020-15212?

1. PATCH: Upgrade TensorFlow to 2.2.1 or 2.3.1 (commit 204945b). Check all environments including embedded/edge fleets — these are often missed. 2. VERIFY: Add a custom TFLite Verifier before model loading that validates all segment IDs are non-negative. 3. ISOLATE: Run TFLite inference in sandboxed processes (seccomp, containers) to limit blast radius if memory corruption occurs. 4. AUDIT: Identify all ingestion points where untrusted .tflite models enter your systems (APIs, file uploads, model registries, federated learning pipelines). 5. DETECT: Monitor for segfaults or abnormal process crashes in inference workers as a signal of active exploitation attempts.

What systems are affected by CVE-2020-15212?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile ML applications, model serving, training pipelines, embedded AI systems.

What is the CVSS score for CVE-2020-15212?

CVE-2020-15212 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `output_data` buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced exploits. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that the segment ids are all positive, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

Exploitation Scenario

An adversary targeting an organization's ML inference API constructs a malicious TFLite model with a segment sum operation containing negative values in the segment_ids tensor. The model passes basic format validation and is accepted by the endpoint. At inference time, TFLite processes the negative segment IDs, computing an invalid output_index that points outside the allocated output_data heap buffer. The resulting write corrupts adjacent heap metadata. The adversary chains this with a heap info-leak to defeat ASLR, then uses a second model inference call to achieve controlled write-what-where, ultimately achieving remote code execution on the model-serving host with the privileges of the inference process.

Weaknesses (CWE)

CWE-787 Primary CWE-787

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed