{"id":"CVE-2020-15209","details":"In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference. The issue is patched in commit 0b5662bc, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.","aliases":["BIT-tensorflow-2020-15209","GHSA-qh32-6jjc-qprm","PYSEC-2020-132","PYSEC-2020-289","PYSEC-2020-324"],"modified":"2026-04-11T21:48:55.594505Z","published":"2020-09-25T19:15:16.213Z","related":["GHSA-qh32-6jjc-qprm","openSUSE-SU-2020:1766-1","openSUSE-SU-2024:12116-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.2"}]}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"},{"type":"ADVISORY","url":"https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/0b5662bc2be13a8c8f044d925d87fb6e56247cd8"},{"type":"EVIDENCE","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qh32-6jjc-qprm"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/tensorflow","events":[{"introduced":"0"},{"fixed":"df8c55ce12b5cfc6f29b01889f7773911a75e6ef"},{"introduced":"64c3d382cadf7bbe8e7e99884bede8284ff67f56"},{"fixed":"295ad2781683835be974faba0a191528d8079768"},{"introduced":"e5bf8de410005de06a7ff5393fafdf832ef1d4ad"},{"fixed":"ab35f2bf7132f9d20a0bea9a5d1849862737d4b4"},{"introduced":"2b96f3662bd776e277f86997659e61046b56c315"},{"fixed":"25fba035f3e453d94490932096282c7b0624bbb3"},{"introduced":"b36436b087bd8e8701ef51718179037cccdfc26e"},{"fixed":"fcc4b966f1265f466e82617020af93670141b009"},{"fixed":"0b5662bc2be13a8c8f044d925d87fb6e56247cd8"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:google:tensorflow:*:*:*:*:lite:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.15.4"},{"introduced":"2.0.0"},{"fixed":"2.0.3"},{"introduced":"2.1.0"},{"fixed":"2.1.2"},{"introduced":"2.2.0"},{"fixed":"2.2.1"},{"introduced":"2.3.0"},{"fixed":"2.3.1"}]}}],"versions":["0.5.0","0.6.0","v1.1.0-rc1","v1.1.0-rc2","v1.12.1","v1.15.0","v1.15.0-rc0","v1.15.0-rc1","v1.15.0-rc2","v1.15.0-rc3","v1.15.2","v1.15.3","v1.6.0-rc1","v1.9.0-rc2","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.1.1","v2.2.0","v2.3.0"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/tensorflow/tensorflow/commit/0b5662bc2be13a8c8f044d925d87fb6e56247cd8","id":"CVE-2020-15209-1c08137f","digest":{"line_hashes":["118310501331616023350717681784829709784","57364967679429806816256655767148470264","102921009719167603431635488173237461403","53810865977217055415276430758078361965","305638738759426742636057687230277032594","34872329951284026900110491077515923900","202202117899958313685333926239881024739","157562451449126841672195308694127197625","149073477471276229723057206179610917054","274105956972391255319063024138059560180","230596824339254107197600048256212159624","309207681048257396052300636804196043320","65600312656929052008905661471385857207","144945867077828154796586203507136244400","124552705122710412742356347640769760909","131598364421439620296301899740248428117","189004029897638777771318898477545259908","84070706133558568929049029694655438503"],"threshold":0.9},"deprecated":false,"signature_type":"Line","signature_version":"v1","target":{"file":"tensorflow/lite/model_test.cc"}},{"source":"https://github.com/tensorflow/tensorflow/commit/0b5662bc2be13a8c8f044d925d87fb6e56247cd8","id":"CVE-2020-15209-432c9fb2","digest":{"function_hash":"66171894964802191235365235219766751684","length":2213},"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"tensorflow/lite/core/subgraph.cc","function":"Subgraph::Invoke"}},{"source":"https://github.com/tensorflow/tensorflow/commit/0b5662bc2be13a8c8f044d925d87fb6e56247cd8","id":"CVE-2020-15209-54e67227","digest":{"line_hashes":["288632793624738279975311723889403186854","231838817353400695959687593382318508022","136835989989611429058744611617542146033","319476659976459967670411920219287419521","259493130716973356554453251726916005105","55895977300738371728966476833896950516","80620433833618409211919915782517539096","82089039147305956708211307876170608615"],"threshold":0.9},"deprecated":false,"signature_type":"Line","signature_version":"v1","target":{"file":"tensorflow/lite/core/subgraph.cc"}},{"source":"https://github.com/tensorflow/tensorflow/commit/0b5662bc2be13a8c8f044d925d87fb6e56247cd8","id":"CVE-2020-15209-94238736","digest":{"function_hash":"72409903535934688868846486751425969565","length":474},"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"tensorflow/lite/model_test.cc","function":"TEST"}}],"vanir_signatures_modified":"2026-04-11T21:48:55Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15209.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}