AI Threat Alert AI Threat Alert

CVE-2020-26268: TensorFlow: ImmutableConst segfault crashes Python interpreter

MEDIUM PoC AVAILABLE
Published December 10, 2020
CISO Take

A medium-severity local vulnerability in TensorFlow allows an attacker with low privileges to crash the Python interpreter by passing non-integral tensor types to tf.raw_ops.ImmutableConst. Real-world risk is highest in shared ML compute environments (multi-user Jupyter hubs, training clusters) where a single crash disrupts other tenants' workloads. Upgrade to TensorFlow 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — no workaround exists short of patching.

Risk Assessment

Low-to-medium operational risk. No remote exploitation, no data exfiltration, no code execution — impact is confined to availability and minor integrity of memory-mapped files. Risk escalates in multi-tenant ML platforms or automated training pipelines where a crash terminates long-running GPU jobs, causing financial and operational impact. No CISA KEV listing and 2020 publication date suggest no active exploitation in the wild; however, legacy TensorFlow deployments in air-gapped or poorly-maintained ML infrastructure remain silently vulnerable.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
4.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A Low

Recommended Action

5 steps

  1. PATCH

    Upgrade TensorFlow to 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0+. No configuration workaround exists.

  2. AUDIT

    Grep codebases for tf.raw_ops.ImmutableConst and validate all tensor type assumptions — only integral types (int32, int64, etc.) are safe on unpatched versions.

  3. HARDEN

    Set memory-mapped model files to read-only (chmod 444) as defense-in-depth; restrict which users can place files in directories read by training pipelines.

  4. ISOLATE

    Run TF training and inference in separate containers or processes to limit crash blast radius across tenants.

  5. DETECT

    Alert on unexpected TF/Python process crashes in ML infrastructure; repeated crashes of training jobs are a signal.

Classification

DoS Framework Model AML.T0010.001 AML.T0029 AML.T0037

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.1 - Operational planning and control
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-26268?

A medium-severity local vulnerability in TensorFlow allows an attacker with low privileges to crash the Python interpreter by passing non-integral tensor types to tf.raw_ops.ImmutableConst. Real-world risk is highest in shared ML compute environments (multi-user Jupyter hubs, training clusters) where a single crash disrupts other tenants' workloads. Upgrade to TensorFlow 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0 — no workaround exists short of patching.

Is CVE-2020-26268 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-26268, increasing the risk of exploitation.

How to fix CVE-2020-26268?

1. PATCH: Upgrade TensorFlow to 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, or 2.4.0+. No configuration workaround exists. 2. AUDIT: Grep codebases for tf.raw_ops.ImmutableConst and validate all tensor type assumptions — only integral types (int32, int64, etc.) are safe on unpatched versions. 3. HARDEN: Set memory-mapped model files to read-only (chmod 444) as defense-in-depth; restrict which users can place files in directories read by training pipelines. 4. ISOLATE: Run TF training and inference in separate containers or processes to limit crash blast radius across tenants. 5. DETECT: Alert on unexpected TF/Python process crashes in ML infrastructure; repeated crashes of training jobs are a signal.

What systems are affected by CVE-2020-26268?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments.

What is the CVSS score for CVE-2020-26268?

CVE-2020-26268 has a CVSS v3.1 base score of 4.4 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Exploitation Scenario

An insider or compromised service account on a shared ML training cluster creates a crafted model file with a float32 tensor type and places it in a shared directory consumed by automated training pipelines. When the pipeline invokes ImmutableConst to load the constant, TensorFlow attempts to write to the memory-mapped read-only region, triggering a segmentation fault that immediately terminates the Python process. On a GPU cluster running overnight training jobs, this causes the job to abort, wasting expensive compute time and forcing retraining. In a CI/CD ML pipeline, an adversary could repeatedly inject crafted files to prevent models from ever completing training — a sustained, low-signature denial-of-service.

Weaknesses (CWE)

CWE-471

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

References

Timeline

Published
December 10, 2020
Last Modified
November 21, 2024
First Seen
December 10, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed