CVE-2020-15266 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow service exposing image processing endpoints (object detection, vision APIs, image classification) on versions before 2.4.0 can be crashed with a single unauthenticated request. Patch to TensorFlow 2.4.0+ immediately; if delayed, add server-side input validation to reject abnormally large float values in the boxes parameter before they reach the TF kernel. No evidence of active exploitation, but the trivial attack complexity makes this a realistic DoS target.

Risk Assessment

HIGH. CVSS 7.5 with network-accessible, no-auth, low-complexity attack vector is a dangerous combination for any public-facing computer vision API. The crash is deterministic and repeatable, enabling sustained availability attacks. Risk is partially mitigated by the 2020 vintage and widespread TF 2.4.0+ adoption, but organizations running legacy TF inference services (common in on-prem ML deployments) remain exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 32% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.4.0+ (patch commit eccb7ec).
Workaround if patching is blocked: Validate that all values in the boxes tensor are finite (not NaN/Inf) and within [0.0, 1.0] range at the API boundary before calling crop_and_resize.
Network controls: Rate-limit inference API endpoints; consider authentication even for internal services.
Detection: Monitor serving processes for unexpected SIGSEGV/segfaults; a spike in process restarts against a vision endpoint is a strong indicator of exploitation.
Verify: Run tf.debugging.check_numerics on boxes inputs as a temporary defense-in-depth measure.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.7 - AI system security

NIST AI RMF

GOVERN-6.1 - Policies and procedures are in place for third-party AI software and component risk MANAGE-2.2 - Mechanisms are in place to maintain AI system operation and manage residual risks

Frequently Asked Questions

What is CVE-2020-15266?

Any TensorFlow service exposing image processing endpoints (object detection, vision APIs, image classification) on versions before 2.4.0 can be crashed with a single unauthenticated request. Patch to TensorFlow 2.4.0+ immediately; if delayed, add server-side input validation to reject abnormally large float values in the boxes parameter before they reach the TF kernel. No evidence of active exploitation, but the trivial attack complexity makes this a realistic DoS target.

Is CVE-2020-15266 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15266, increasing the risk of exploitation.

How to fix CVE-2020-15266?

1. Patch: Upgrade to TensorFlow 2.4.0+ (patch commit eccb7ec). 2. Workaround if patching is blocked: Validate that all values in the boxes tensor are finite (not NaN/Inf) and within [0.0, 1.0] range at the API boundary before calling crop_and_resize. 3. Network controls: Rate-limit inference API endpoints; consider authentication even for internal services. 4. Detection: Monitor serving processes for unexpected SIGSEGV/segfaults; a spike in process restarts against a vision endpoint is a strong indicator of exploitation. 5. Verify: Run tf.debugging.check_numerics on boxes inputs as a temporary defense-in-depth measure.

What systems are affected by CVE-2020-15266?

This vulnerability affects the following AI/ML architecture patterns: computer vision model serving, image preprocessing pipelines, object detection inference pipelines, training pipelines with data augmentation, multi-tenant ML inference platforms.

What is the CVSS score for CVE-2020-15266?

CVE-2020-15266 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

Exploitation Scenario

Attacker identifies a public-facing object detection API (e.g., a product image tagging service, autonomous vehicle perception endpoint, or medical imaging pipeline) built on TensorFlow. They send a crafted inference request with a bounding box coordinate set to a very large float (e.g., 1e38). The TF CPU kernel receives this as C++ NaN after internal conversion, performs arithmetic on it triggering undefined behavior, and the process crashes with SIGSEGV. Automating this in a loop achieves persistent DoS with minimal bandwidth. An internal red team could exploit this to demonstrate availability impact on ML infrastructure without requiring any ML expertise.