CVE-2020-15266: TensorFlow NaN-triggered DoS

CISO Take

Any TensorFlow service exposing image processing endpoints (object detection, vision APIs, image classification) on versions before 2.4.0 can be crashed with a single unauthenticated request. Patch to TensorFlow 2.4.0+ immediately; if delayed, add server-side input validation to reject abnormally large float values in the boxes parameter before they reach the TF kernel. No evidence of active exploitation, but the trivial attack complexity makes this a realistic DoS target.

What is the risk?

HIGH. CVSS 7.5 with network-accessible, no-auth, low-complexity attack vector is a dangerous combination for any public-facing computer vision API. The crash is deterministic and repeatable, enabling sustained availability attacks. Risk is partially mitigated by the 2020 vintage and widespread TF 2.4.0+ adoption, but organizations running legacy TF inference services (common in on-prem ML deployments) remain exposed.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 55% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow 2.4.0+ (patch commit eccb7ec).
Workaround if patching is blocked: Validate that all values in the boxes tensor are finite (not NaN/Inf) and within [0.0, 1.0] range at the API boundary before calling crop_and_resize.
Network controls: Rate-limit inference API endpoints; consider authentication even for internal services.
Detection: Monitor serving processes for unexpected SIGSEGV/segfaults; a spike in process restarts against a vision endpoint is a strong indicator of exploitation.
Verify: Run tf.debugging.check_numerics on boxes inputs as a temporary defense-in-depth measure.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.7 - AI system security

NIST AI RMF

GOVERN-6.1 - Policies and procedures are in place for third-party AI software and component risk MANAGE-2.2 - Mechanisms are in place to maintain AI system operation and manage residual risks

Frequently Asked Questions

What is CVE-2020-15266?

Any TensorFlow service exposing image processing endpoints (object detection, vision APIs, image classification) on versions before 2.4.0 can be crashed with a single unauthenticated request. Patch to TensorFlow 2.4.0+ immediately; if delayed, add server-side input validation to reject abnormally large float values in the boxes parameter before they reach the TF kernel. No evidence of active exploitation, but the trivial attack complexity makes this a realistic DoS target.

Is CVE-2020-15266 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15266, increasing the risk of exploitation.

How to fix CVE-2020-15266?

1. Patch: Upgrade to TensorFlow 2.4.0+ (patch commit eccb7ec). 2. Workaround if patching is blocked: Validate that all values in the boxes tensor are finite (not NaN/Inf) and within [0.0, 1.0] range at the API boundary before calling crop_and_resize. 3. Network controls: Rate-limit inference API endpoints; consider authentication even for internal services. 4. Detection: Monitor serving processes for unexpected SIGSEGV/segfaults; a spike in process restarts against a vision endpoint is a strong indicator of exploitation. 5. Verify: Run tf.debugging.check_numerics on boxes inputs as a temporary defense-in-depth measure.

What systems are affected by CVE-2020-15266?

This vulnerability affects the following AI/ML architecture patterns: computer vision model serving, image preprocessing pipelines, object detection inference pipelines, training pipelines with data augmentation, multi-tenant ML inference platforms.

What is the CVSS score for CVE-2020-15266?

CVE-2020-15266 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.92%.

What is the AI security impact?

Affected AI Architectures

computer vision model servingimage preprocessing pipelinesobject detection inference pipelinestraining pipelines with data augmentationmulti-tenant ML inference platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.7

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

What are the technical details?

Original Advisory

In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

Exploitation Scenario

Attacker identifies a public-facing object detection API (e.g., a product image tagging service, autonomous vehicle perception endpoint, or medical imaging pipeline) built on TensorFlow. They send a crafted inference request with a bounding box coordinate set to a very large float (e.g., 1e38). The TF CPU kernel receives this as C++ NaN after internal conversion, performs arithmetic on it triggering undefined behavior, and the process crashes with SIGSEGV. Automating this in a loop achieves persistent DoS with minimal bandwidth. An internal red team could exploit this to demonstrate availability impact on ML infrastructure without requiring any ML expertise.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.