CVE-2020-15213: TensorFlow OOM DoS

CISO Take

A specially crafted TFLite model can trigger unbounded memory allocation via manipulated segment IDs, crashing any inference service that loads it. If your ML pipeline accepts externally-sourced or user-provided TFLite models, patch to TF 2.2.1+ or 2.3.1+ immediately. If patching is not immediate, deploy a custom Verifier to cap segment ID values before model loading.

What is the risk?

Medium risk overall, but elevated for organizations running TFLite inference services that consume externally-sourced models. Exploit requires crafting a malicious model file (moderate effort), but no authentication or user interaction is needed once the model reaches a vulnerable loader. Network-accessible inference APIs that accept model uploads are the highest-risk surface. No evidence of active exploitation in the wild.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

4.0 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 45% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI None

S Changed

C None

I None

A Low

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.2.1 or 2.3.1 minimum.
WORKAROUND (static segment IDs): Add a custom TFLite Verifier that enforces maximum allowable values in segment IDs tensors before model execution.
WORKAROUND (runtime segment IDs): Add bounds validation between inference steps when segment IDs are generated as intermediate tensor outputs.
ARCHITECTURAL

Implement model integrity controls — only load models from trusted, signed registries; sandbox model loading in isolated processes with memory limits to contain blast radius.
DETECT

Monitor inference worker OOM crashes and unexpected process restarts as potential exploitation indicators.

How is it classified?

DoS Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain AI system effectiveness and to address AI risks

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2020-15213?

A specially crafted TFLite model can trigger unbounded memory allocation via manipulated segment IDs, crashing any inference service that loads it. If your ML pipeline accepts externally-sourced or user-provided TFLite models, patch to TF 2.2.1+ or 2.3.1+ immediately. If patching is not immediate, deploy a custom Verifier to cap segment ID values before model loading.

Is CVE-2020-15213 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15213, increasing the risk of exploitation.

How to fix CVE-2020-15213?

1. PATCH: Upgrade TensorFlow to 2.2.1 or 2.3.1 minimum. 2. WORKAROUND (static segment IDs): Add a custom TFLite Verifier that enforces maximum allowable values in segment IDs tensors before model execution. 3. WORKAROUND (runtime segment IDs): Add bounds validation between inference steps when segment IDs are generated as intermediate tensor outputs. 4. ARCHITECTURAL: Implement model integrity controls — only load models from trusted, signed registries; sandbox model loading in isolated processes with memory limits to contain blast radius. 5. DETECT: Monitor inference worker OOM crashes and unexpected process restarts as potential exploitation indicators.

What systems are affected by CVE-2020-15213?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, edge ML deployments, training pipelines.

What is the CVSS score for CVE-2020-15213?

CVE-2020-15213 has a CVSS v3.1 base score of 4.0 (MEDIUM). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinesedge ML deploymentstraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to limit the maximum value in the segment ids tensor. This only handles the case when the segment ids are stored statically in the model, but a similar validation could be done if the segment ids are generated at runtime, between inference steps. However, if the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

Exploitation Scenario

An adversary targets a TFLite-based image classification API that allows customers to upload custom models for fine-tuned inference. They craft a malicious .tflite model file embedding a segment sum operation with the last segment ID tensor element set to a value like 2^30, causing the inference runtime to attempt allocating gigabytes of memory. When the API loads and executes the model, the worker process crashes with OOM. By repeatedly uploading such models, the adversary sustains a denial-of-service condition against the inference fleet, degrading availability without needing credentials or exploiting complex logic.

Weaknesses (CWE)

CWE-770 Allocation of Resources Without Limits or Throttling Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770 Allocation of Resources Without Limits or Throttling

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

[Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
[Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.