CVE-2020-26266 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

Upgrade TensorFlow to patched releases (1.15.5 / 2.0.4 / 2.1.3 / 2.2.2 / 2.3.2 / 2.4.0) immediately and treat every SavedModel file as executable code requiring cryptographic provenance verification before loading. Environments serving externally-sourced or quantized models carry the highest exposure—prioritize those for patching and sandbox isolation. Not actively exploited, but the low-complexity local attack vector makes this a credible supply chain or insider threat.

Risk Assessment

Medium severity in isolation (CVSS 5.3, AV:L/AC:L/PR:L), but risk escalates sharply in model-serving pipelines that ingest externally-sourced SavedModels. The low attack complexity (no special conditions) and absence of user interaction lower the barrier for exploitation post-access. No evidence of active exploitation and not in CISA KEV, but quantized model deployments—common in edge and mobile scenarios—expand the affected surface beyond typical server-side TF installations.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

Recommended Action

5 steps

Patch: Upgrade to TF 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0. Run SCA/SBOM tooling to surface all TF versions across your environment.
Model provenance: Enforce cryptographic signing and hash verification of all SavedModel artifacts before loading—treat model files as code, not data.
Sandbox inference: Load untrusted models inside isolated containers with seccomp/AppArmor profiles; restrict heap-dump capabilities to limit disclosure impact.
Least privilege: Ensure model-serving processes run under low-privilege service accounts to contain post-exploitation lateral movement.
Detect: Alert on anomalous memory usage spikes in TF serving processes; flag unverified model loads in CI/CD and model registry audit logs.

Classification

Supply Chain Data Leakage Code Execution Framework Model Inference AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.4 - Security of AI system A.8.4 - AI supply chain

NIST AI RMF

MAP-5.1 - Likelihood and magnitude of impacts from AI risks MS-2.5 - Risk response — treatment of AI risks

OWASP LLM Top 10

LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-26266?

Upgrade TensorFlow to patched releases (1.15.5 / 2.0.4 / 2.1.3 / 2.2.2 / 2.3.2 / 2.4.0) immediately and treat every SavedModel file as executable code requiring cryptographic provenance verification before loading. Environments serving externally-sourced or quantized models carry the highest exposure—prioritize those for patching and sandbox isolation. Not actively exploited, but the low-complexity local attack vector makes this a credible supply chain or insider threat.

Is CVE-2020-26266 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-26266, increasing the risk of exploitation.

How to fix CVE-2020-26266?

1. Patch: Upgrade to TF 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0. Run SCA/SBOM tooling to surface all TF versions across your environment. 2. Model provenance: Enforce cryptographic signing and hash verification of all SavedModel artifacts before loading—treat model files as code, not data. 3. Sandbox inference: Load untrusted models inside isolated containers with seccomp/AppArmor profiles; restrict heap-dump capabilities to limit disclosure impact. 4. Least privilege: Ensure model-serving processes run under low-privilege service accounts to contain post-exploitation lateral movement. 5. Detect: Alert on anomalous memory usage spikes in TF serving processes; flag unverified model loads in CI/CD and model registry audit logs.

What systems are affected by CVE-2020-26266?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps/CI-CD model registries, edge inference (quantized/TFLite).

What is the CVSS score for CVE-2020-26266?

CVE-2020-26266 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Exploitation Scenario

An adversary with write access to a shared model registry (compromised CI/CD credentials, malicious insider, or dependency confusion attack) replaces a legitimate quantized TensorFlow SavedModel with a crafted variant. When the ML serving infrastructure pulls and loads this model for inference, Eigen's uninitialized quantized floating-point buffers are accessed, causing the runtime to read stale heap contents. Depending on heap layout at the time of load, this leaks fragments of previously processed tensor data—potentially including inference inputs from other tenants in a multi-tenant serving environment—without triggering explicit errors or alerting on-call teams.