{"id":"CVE-2020-15206","details":"In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but not yet backported to earlier versions). However, this was not enough, as #41097 reports a different failure mode. The issue is patched in commit adf095206f25471e864a8e63a0f1caef53a0e3a6, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.","aliases":["BIT-tensorflow-2020-15206","GHSA-w5gh-2wr2-pm6g","PYSEC-2020-129","PYSEC-2020-286","PYSEC-2020-321"],"modified":"2026-04-11T21:48:54.197568Z","published":"2020-09-25T19:15:15.917Z","related":["GHSA-w5gh-2wr2-pm6g","openSUSE-SU-2020:1766-1","openSUSE-SU-2024:12116-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.2"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"},{"type":"ADVISORY","url":"https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/adf095206f25471e864a8e63a0f1caef53a0e3a6"},{"type":"EVIDENCE","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-w5gh-2wr2-pm6g"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/tensorflow","events":[{"introduced":"0"},{"fixed":"df8c55ce12b5cfc6f29b01889f7773911a75e6ef"},{"introduced":"64c3d382cadf7bbe8e7e99884bede8284ff67f56"},{"fixed":"295ad2781683835be974faba0a191528d8079768"},{"introduced":"e5bf8de410005de06a7ff5393fafdf832ef1d4ad"},{"fixed":"ab35f2bf7132f9d20a0bea9a5d1849862737d4b4"},{"introduced":"2b96f3662bd776e277f86997659e61046b56c315"},{"fixed":"25fba035f3e453d94490932096282c7b0624bbb3"},{"introduced":"b36436b087bd8e8701ef51718179037cccdfc26e"},{"fixed":"fcc4b966f1265f466e82617020af93670141b009"},{"fixed":"adf095206f25471e864a8e63a0f1caef53a0e3a6"}],"database_specific":{"cpe":"cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.15.4"},{"introduced":"2.0.0"},{"fixed":"2.0.3"},{"introduced":"2.1.0"},{"fixed":"2.1.2"},{"introduced":"2.2.0"},{"fixed":"2.2.1"},{"introduced":"2.3.0"},{"fixed":"2.3.1"}],"source":["CPE_FIELD","REFERENCES"]}}],"versions":["0.5.0","0.6.0","v1.1.0-rc1","v1.1.0-rc2","v1.12.1","v1.15.0","v1.15.0-rc0","v1.15.0-rc1","v1.15.0-rc2","v1.15.0-rc3","v1.15.2","v1.15.3","v1.6.0-rc1","v1.9.0-rc2","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.1.1","v2.2.0","v2.3.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15206.json","vanir_signatures":[{"source":"https://github.com/tensorflow/tensorflow/commit/adf095206f25471e864a8e63a0f1caef53a0e3a6","target":{"function":"ValidateSavedTensors","file":"tensorflow/cc/saved_model/loader.cc"},"signature_version":"v1","deprecated":false,"digest":{"length":782,"function_hash":"155868475473698525084890940101004146360"},"signature_type":"Function","id":"CVE-2020-15206-a12cc345"},{"source":"https://github.com/tensorflow/tensorflow/commit/adf095206f25471e864a8e63a0f1caef53a0e3a6","target":{"file":"tensorflow/cc/saved_model/saved_model_bundle_test.cc"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["237534103887748364220830727064066585132","170837560722536604194880464044811353759","286307140575876318387916612050744262433","323563108127178725677791790494549971107","17732570387851606237210235677755643667","236352336020948844563080399447754935689"],"threshold":0.9},"signature_type":"Line","id":"CVE-2020-15206-d5bbcfb2"},{"source":"https://github.com/tensorflow/tensorflow/commit/adf095206f25471e864a8e63a0f1caef53a0e3a6","target":{"file":"tensorflow/cc/saved_model/loader.cc"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["338190616035182775038198528436234399154","148766536483979643432142755610964573410","40144206039415416872947191952046039281","50880972336203447953015512691525575731","231177896755385998569505173431362088330","212050579421178254583815370675737945329","15732498788905406964130232664873721265","288312732286857555997161654430559937561","1030170627292010837458423041964814314","9461295898147610415915012011256524227","73018476478567671381663587074098932377","246510934274232964745368485417947261317","83399616403847180109930404997027711002","328904961739517098315002928622660330816","191310679275686034726484289274130958358","71639578638027540246252462553054130645","131119383171410596489459848086681282847","129659067311855524798173988662273724280","256635011232480088664078767409011026743","80521914854072498918596111092166530846","214890243390737349704641730626639627343","65150140748401481109861781464609500173","316718858588923928202372133322433344102","270315178876986731172907230823302644929","139429423249297773685190976104105202548","63726725965755184658985833465422142945","82582381114349747077940900134120862085"],"threshold":0.9},"signature_type":"Line","id":"CVE-2020-15206-e6e8371e"}],"vanir_signatures_modified":"2026-04-11T21:48:54Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}