CVE-2020-15265: TensorFlow OOB read DoS

CISO Take

An unauthenticated remote attacker can crash TensorFlow inference services by sending a crafted request with an invalid axis parameter to any endpoint invoking tf.quantization.quantize_and_dequantize. No privileges or user interaction required. Upgrade to TensorFlow 2.4.0+ immediately; if serving quantized models on public-facing APIs on older TF versions, treat this as critical availability risk.

What is the risk?

CVSS 7.5 HIGH with network vector, low complexity, no authentication — trivially exploitable. Impact is limited to availability (DoS via segfault), with no confidentiality or integrity exposure per the CVSS vector. Real-world risk depends on whether TF inference endpoints are public-facing and whether the quantize_and_dequantize op is in the serving path. In practice, production AI serving pipelines behind authenticated APIs face lower operational risk; unauthenticated public endpoints using quantized models are directly exposed. Given the 2020 publication date, unpatched deployments today represent a hygiene failure rather than a zero-day.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 54% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow 2.4.0 or later (patch commit eccb7ec454e6617738554a255d77f08e60ee0808).
Workaround if patching is blocked: Add input validation layer before calling quantize_and_dequantize — validate that axis is within [-rank, rank) of the input tensor before invoking the op.
Network controls: Place TF serving endpoints behind authenticated reverse proxies; avoid exposing raw TF serving ports (8500/8501) directly to untrusted networks.
Detection: Monitor inference service crash/restart patterns — repeated SIGSEGV or abnormal process terminations in TF serving containers are indicators.
Audit: Inventory all TF versions in use across model serving infrastructure; flag any pre-2.4.0 deployments.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Security of AI system operation

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for vulnerability management MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2020-15265?

An unauthenticated remote attacker can crash TensorFlow inference services by sending a crafted request with an invalid axis parameter to any endpoint invoking tf.quantization.quantize_and_dequantize. No privileges or user interaction required. Upgrade to TensorFlow 2.4.0+ immediately; if serving quantized models on public-facing APIs on older TF versions, treat this as critical availability risk.

Is CVE-2020-15265 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15265, increasing the risk of exploitation.

How to fix CVE-2020-15265?

1. Patch: Upgrade to TensorFlow 2.4.0 or later (patch commit eccb7ec454e6617738554a255d77f08e60ee0808). 2. Workaround if patching is blocked: Add input validation layer before calling quantize_and_dequantize — validate that axis is within [-rank, rank) of the input tensor before invoking the op. 3. Network controls: Place TF serving endpoints behind authenticated reverse proxies; avoid exposing raw TF serving ports (8500/8501) directly to untrusted networks. 4. Detection: Monitor inference service crash/restart patterns — repeated SIGSEGV or abnormal process terminations in TF serving containers are indicators. 5. Audit: Inventory all TF versions in use across model serving infrastructure; flag any pre-2.4.0 deployments.

What systems are affected by CVE-2020-15265?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines.

What is the CVSS score for CVE-2020-15265?

CVE-2020-15265 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.89%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinestraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

What are the technical details?

Original Advisory

In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

Exploitation Scenario

An adversary targeting a company's public-facing AI API discovers it serves a quantized TensorFlow model (detectable via response latency patterns or API documentation leakage). The attacker crafts an inference request where the axis parameter for a quantize_and_dequantize operation is set to a value exceeding the rank of the input tensor — for example, axis=999 on a 2D tensor. TensorFlow's C++ kernel calls dim_size with the invalid index, bypasses the no-op DCHECK in release builds, accesses out-of-bounds memory, and segfaults. The model serving process crashes, taking down availability for all legitimate users. With no rate limiting, the attacker can sustain the DoS indefinitely with minimal bandwidth by repeating the malformed request.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.