AI Threat Alert AI Threat Alert

CVE-2020-15214: TensorFlow Lite: OOB write in segment sum, memory corruption risk

HIGH PoC AVAILABLE
Published September 25, 2020
CISO Take

A crafted TFLite model with unsorted segment IDs can trigger an out-of-bounds write, potentially providing a memory corruption write gadget for chained exploits. Any deployment that loads TFLite models from external or untrusted sources is directly exposed. Upgrade to TensorFlow 2.2.1 or 2.3.1 immediately; if static models are used, add a segment-ID sort verifier as a compensating control.

Risk Assessment

CVSS 8.1 (High) with network vector and no required privileges elevates theoretical risk, but high attack complexity grounds it. The real danger is in AI inference pipelines that accept externally-supplied or user-uploaded TFLite models — an attacker with model-upload capability can reliably trigger this. The write-gadget potential means this is not a simple crash: a skilled adversary could chain this into arbitrary code execution on the inference host.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 49% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Changed
C Low
I Low
A High

Recommended Action

6 steps

  1. Patch: Upgrade to TensorFlow 2.2.1 or 2.3.1 (commit 204945b).

  2. Workaround (static models): Implement a custom Verifier at model load time to assert segment_ids tensor is monotonically non-decreasing before inference.

  3. Workaround (runtime-generated segment IDs): Insert a sort-and-validate step between inference steps before feeding segment_ids.

  4. If segment IDs are generated as model outputs during inference, patching is the only option — no workaround exists.

  5. Detection: Monitor inference processes for SIGSEGV/abnormal exits; segment_sum layer crashes are a signal.

  6. Defense-in-depth: Enforce model signing/provenance checks before loading any TFLite model into production.

Classification

Code Execution Supply Chain DoS Framework Inference Model AML.T0010.001 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI system risk assessment A.9.3 - Corrective action
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM05 - Vulnerable and Outdated Components

Frequently Asked Questions

What is CVE-2020-15214?

A crafted TFLite model with unsorted segment IDs can trigger an out-of-bounds write, potentially providing a memory corruption write gadget for chained exploits. Any deployment that loads TFLite models from external or untrusted sources is directly exposed. Upgrade to TensorFlow 2.2.1 or 2.3.1 immediately; if static models are used, add a segment-ID sort verifier as a compensating control.

Is CVE-2020-15214 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15214, increasing the risk of exploitation.

How to fix CVE-2020-15214?

1. Patch: Upgrade to TensorFlow 2.2.1 or 2.3.1 (commit 204945b). 2. Workaround (static models): Implement a custom Verifier at model load time to assert segment_ids tensor is monotonically non-decreasing before inference. 3. Workaround (runtime-generated segment IDs): Insert a sort-and-validate step between inference steps before feeding segment_ids. 4. If segment IDs are generated as model outputs during inference, patching is the only option — no workaround exists. 5. Detection: Monitor inference processes for SIGSEGV/abnormal exits; segment_sum layer crashes are a signal. 6. Defense-in-depth: Enforce model signing/provenance checks before loading any TFLite model into production.

What systems are affected by CVE-2020-15214?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge inference, training pipelines, mobile/IoT AI deployments.

What is the CVSS score for CVE-2020-15214?

CVE-2020-15214 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.26%.

Technical Details

NVD Description

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but depending on runtime conditions it can provide for a write gadget to be used in future memory corruption-based exploits. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that the segment ids are sorted, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

Exploitation Scenario

An adversary targeting an AI inference API that accepts user-uploaded TFLite models crafts a malicious model containing a segment_sum operation with deliberately unsorted segment IDs. When the victim's inference server loads and executes the model, TFLite reads the last segment ID to determine output tensor size, allocates insufficient memory, then writes beyond the allocation boundary. On most runtimes this causes a segfault and DoS. On a target with known memory layout (e.g., a containerized inference service with predictable ASLR), the write gadget can be leveraged to overwrite adjacent heap structures, potentially escalating to arbitrary code execution on the inference host — giving the adversary a foothold in the ML serving infrastructure.

Weaknesses (CWE)

CWE-787

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed