CVE-2020-26267 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

TensorFlow's DataFormatVecPermute raw op fails to validate format string inputs, enabling out-of-bounds memory reads, potential memory disclosure, and process crashes. Patch immediately to TF 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — any shared training infrastructure or multi-tenant ML platform running older versions is exposed to local privilege abuse. If immediate patching is not possible, restrict access to raw_ops APIs and audit who can submit training jobs.

Risk Assessment

CVSS 7.8 High with local attack vector and low privilege requirement. In isolated single-user environments the risk is contained, but shared ML training clusters (common in enterprise MLOps platforms) significantly elevate exposure — any tenant able to submit a TF job can trigger the bug. The combination of uninitialized memory access and OOB reads creates potential for information disclosure beyond just DoS. EPSS data unavailable for this older CVE but the low exploitation complexity makes it accessible to non-expert attackers with local access.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — no workaround is viable for production.
INVENTORY

Identify all TF instances via 'pip show tensorflow' or 'conda list tensorflow' across training nodes, Jupyter servers, CI/CD pipelines, and model serving endpoints.
ISOLATE

On multi-tenant ML platforms, enforce per-user sandboxing (containers/VMs) to limit blast radius until patched.
DETECT

Monitor for abnormal TF process crashes (SIGABRT, SIGSEGV) in training logs — repeated crashes may indicate exploitation attempts.
VERIFY

After patching, confirm via 'import tensorflow as tf; print(tf.__version__)' that the patched version is active in all runtime environments.

Classification

Code Execution DoS Data Extraction Framework Training Data Inference AML.T0010.001 - AI Software AML.T0016.001 - Software Tools AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

8.4 - AI system lifecycle — development and acquisition

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to inventory AI systems and manage associated risks

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-26267?

TensorFlow's DataFormatVecPermute raw op fails to validate format string inputs, enabling out-of-bounds memory reads, potential memory disclosure, and process crashes. Patch immediately to TF 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — any shared training infrastructure or multi-tenant ML platform running older versions is exposed to local privilege abuse. If immediate patching is not possible, restrict access to raw_ops APIs and audit who can submit training jobs.

Is CVE-2020-26267 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-26267, increasing the risk of exploitation.

How to fix CVE-2020-26267?

1. PATCH: Upgrade TensorFlow to 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — no workaround is viable for production. 2. INVENTORY: Identify all TF instances via 'pip show tensorflow' or 'conda list tensorflow' across training nodes, Jupyter servers, CI/CD pipelines, and model serving endpoints. 3. ISOLATE: On multi-tenant ML platforms, enforce per-user sandboxing (containers/VMs) to limit blast radius until patched. 4. DETECT: Monitor for abnormal TF process crashes (SIGABRT, SIGSEGV) in training logs — repeated crashes may indicate exploitation attempts. 5. VERIFY: After patching, confirm via 'import tensorflow as tf; print(tf.__version__)' that the patched version is active in all runtime environments.

What systems are affected by CVE-2020-26267?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML platforms.

What is the CVSS score for CVE-2020-26267?

CVE-2020-26267 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Exploitation Scenario

An adversary with access to a shared Kubeflow or SageMaker training cluster submits a malicious training job that invokes tf.raw_ops.DataFormatVecPermute with crafted src_format and dst_format strings that do not represent valid NHWC permutations. The unvalidated inputs cause TensorFlow to perform out-of-bounds reads on adjacent memory, potentially exposing training data, model weights, or environment variables from co-located jobs. In a denial-of-service variant, the adversary repeatedly triggers crashes to disrupt competing training runs or delay production model deployments. No special ML knowledge is required — the exploit is a simple API call with invalid string parameters.