CVE-2020-15211: In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a do
Summary
TensorFlow Lite (a machine learning framework for mobile devices) versions before 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 have a vulnerability in how they validate saved models. The framework uses a special index value of -1 to mark optional inputs, but this value is incorrectly accepted for all operators and even output tensors, allowing attackers to read and write data outside the intended memory boundaries.
Solution / Mitigation
Upgrade to TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. Alternatively, the source mentions a potential workaround: "add a custom Verifier to the model loading code to ensure that only operators which accept optional inputs use the -1 special value and only for the tensors that they expect to be optional," though the source advises that this approach "is erro-prone" and recommends upgrading instead.
Vulnerability Details
4.8(medium)
EPSS: 0.3%
Classification
Affected Vendors
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-15211
First tracked: February 15, 2026 at 08:38 PM
Classified by LLM (prompt v3) · confidence: 95%