CVE-2020-15265: In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequan
Summary
In TensorFlow before version 2.4.0, an attacker can provide an invalid `axis` parameter (a setting that specifies which dimension of data to work with) to a quantization function, causing the program to access memory outside the bounds of an array, which crashes the system. The vulnerability exists because the code only uses DCHECK (a debug-only validation that is disabled in normal builds) rather than proper runtime validation.
Solution / Mitigation
The issue is patched in commit eccb7ec454e6617738554a255d77f08e60ee0808. Upgrade to TensorFlow 2.4.0 or later, or use TensorFlow nightly packages released after this commit.
Vulnerability Details
5.9(medium)
EPSS: 0.2%
Classification
Affected Vendors
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-15265
First tracked: February 15, 2026 at 08:38 PM
Classified by LLM (prompt v3) · confidence: 95%