AI Threat Alert AI Threat Alert

CVE-2020-15265: TensorFlow: OOB read DoS via invalid quantize axis

HIGH PoC AVAILABLE
Published October 21, 2020
CISO Take

An unauthenticated remote attacker can crash TensorFlow inference services by sending a crafted request with an invalid axis parameter to any endpoint invoking tf.quantization.quantize_and_dequantize. No privileges or user interaction required. Upgrade to TensorFlow 2.4.0+ immediately; if serving quantized models on public-facing APIs on older TF versions, treat this as critical availability risk.

Risk Assessment

CVSS 7.5 HIGH with network vector, low complexity, no authentication — trivially exploitable. Impact is limited to availability (DoS via segfault), with no confidentiality or integrity exposure per the CVSS vector. Real-world risk depends on whether TF inference endpoints are public-facing and whether the quantize_and_dequantize op is in the serving path. In practice, production AI serving pipelines behind authenticated APIs face lower operational risk; unauthenticated public endpoints using quantized models are directly exposed. Given the 2020 publication date, unpatched deployments today represent a hygiene failure rather than a zero-day.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 47% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.4.0 or later (patch commit eccb7ec454e6617738554a255d77f08e60ee0808).

  2. Workaround if patching is blocked: Add input validation layer before calling quantize_and_dequantize — validate that axis is within [-rank, rank) of the input tensor before invoking the op.

  3. Network controls: Place TF serving endpoints behind authenticated reverse proxies; avoid exposing raw TF serving ports (8500/8501) directly to untrusted networks.

  4. Detection: Monitor inference service crash/restart patterns — repeated SIGSEGV or abnormal process terminations in TF serving containers are indicators.

  5. Audit: Inventory all TF versions in use across model serving infrastructure; flag any pre-2.4.0 deployments.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system operation
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for vulnerability management MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2020-15265?

An unauthenticated remote attacker can crash TensorFlow inference services by sending a crafted request with an invalid axis parameter to any endpoint invoking tf.quantization.quantize_and_dequantize. No privileges or user interaction required. Upgrade to TensorFlow 2.4.0+ immediately; if serving quantized models on public-facing APIs on older TF versions, treat this as critical availability risk.

Is CVE-2020-15265 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15265, increasing the risk of exploitation.

How to fix CVE-2020-15265?

1. Patch: Upgrade to TensorFlow 2.4.0 or later (patch commit eccb7ec454e6617738554a255d77f08e60ee0808). 2. Workaround if patching is blocked: Add input validation layer before calling quantize_and_dequantize — validate that axis is within [-rank, rank) of the input tensor before invoking the op. 3. Network controls: Place TF serving endpoints behind authenticated reverse proxies; avoid exposing raw TF serving ports (8500/8501) directly to untrusted networks. 4. Detection: Monitor inference service crash/restart patterns — repeated SIGSEGV or abnormal process terminations in TF serving containers are indicators. 5. Audit: Inventory all TF versions in use across model serving infrastructure; flag any pre-2.4.0 deployments.

What systems are affected by CVE-2020-15265?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines.

What is the CVSS score for CVE-2020-15265?

CVE-2020-15265 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

Exploitation Scenario

An adversary targeting a company's public-facing AI API discovers it serves a quantized TensorFlow model (detectable via response latency patterns or API documentation leakage). The attacker crafts an inference request where the axis parameter for a quantize_and_dequantize operation is set to a value exceeding the rank of the input tensor — for example, axis=999 on a 2D tensor. TensorFlow's C++ kernel calls dim_size with the invalid index, bypasses the no-op DCHECK in release builds, accesses out-of-bounds memory, and segfaults. The model serving process crashes, taking down availability for all legitimate users. With no rate limiting, the attacker can sustain the DoS indefinitely with minimal bandwidth by repeating the malformed request.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
October 21, 2020
Last Modified
November 21, 2024
First Seen
October 21, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed