CVE-2020-26267: TensorFlow OOB read — HIGH

CISO Take

TensorFlow's DataFormatVecPermute raw op fails to validate format string inputs, enabling out-of-bounds memory reads, potential memory disclosure, and process crashes. Patch immediately to TF 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — any shared training infrastructure or multi-tenant ML platform running older versions is exposed to local privilege abuse. If immediate patching is not possible, restrict access to raw_ops APIs and audit who can submit training jobs.

What is the risk?

CVSS 7.8 High with local attack vector and low privilege requirement. In isolated single-user environments the risk is contained, but shared ML training clusters (common in enterprise MLOps platforms) significantly elevate exposure — any tenant able to submit a TF job can trigger the bug. The combination of uninitialized memory access and OOB reads creates potential for information disclosure beyond just DoS. EPSS data unavailable for this older CVE but the low exploitation complexity makes it accessible to non-expert attackers with local access.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — no workaround is viable for production.
INVENTORY

Identify all TF instances via 'pip show tensorflow' or 'conda list tensorflow' across training nodes, Jupyter servers, CI/CD pipelines, and model serving endpoints.
ISOLATE

On multi-tenant ML platforms, enforce per-user sandboxing (containers/VMs) to limit blast radius until patched.
DETECT

Monitor for abnormal TF process crashes (SIGABRT, SIGSEGV) in training logs — repeated crashes may indicate exploitation attempts.
VERIFY

After patching, confirm via 'import tensorflow as tf; print(tf.__version__)' that the patched version is active in all runtime environments.

How is it classified?

Code Execution DoS Data Extraction Framework Training Data Inference AML.T0010.001 - AI Software AML.T0016.001 - Software Tools AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

8.4 - AI system lifecycle — development and acquisition

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to inventory AI systems and manage associated risks

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-26267?

TensorFlow's DataFormatVecPermute raw op fails to validate format string inputs, enabling out-of-bounds memory reads, potential memory disclosure, and process crashes. Patch immediately to TF 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — any shared training infrastructure or multi-tenant ML platform running older versions is exposed to local privilege abuse. If immediate patching is not possible, restrict access to raw_ops APIs and audit who can submit training jobs.

Is CVE-2020-26267 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-26267, increasing the risk of exploitation.

How to fix CVE-2020-26267?

1. PATCH: Upgrade TensorFlow to 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — no workaround is viable for production. 2. INVENTORY: Identify all TF instances via 'pip show tensorflow' or 'conda list tensorflow' across training nodes, Jupyter servers, CI/CD pipelines, and model serving endpoints. 3. ISOLATE: On multi-tenant ML platforms, enforce per-user sandboxing (containers/VMs) to limit blast radius until patched. 4. DETECT: Monitor for abnormal TF process crashes (SIGABRT, SIGSEGV) in training logs — repeated crashes may indicate exploitation attempts. 5. VERIFY: After patching, confirm via 'import tensorflow as tf; print(tf.__version__)' that the patched version is active in all runtime environments.

What systems are affected by CVE-2020-26267?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML platforms.

What is the CVSS score for CVE-2020-26267?

CVE-2020-26267 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0016.001 Software Tools

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.9

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Exploitation Scenario

An adversary with access to a shared Kubeflow or SageMaker training cluster submits a malicious training job that invokes tf.raw_ops.DataFormatVecPermute with crafted src_format and dst_format strings that do not represent valid NHWC permutations. The unvalidated inputs cause TensorFlow to perform out-of-bounds reads on adjacent memory, potentially exposing training data, model weights, or environment variables from co-located jobs. In a denial-of-service variant, the adversary repeatedly triggers crashes to disrupt competing training runs or delay production model deployments. No special ML knowledge is required — the exploit is a simple API call with invalid string parameters.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.