AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2020-15192: In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memor

mediumvulnerability

security

Source: NVD/CVE DatabaseSeptember 25, 2020CVE-2020-15192

Summary

TensorFlow versions before 2.2.1 and 2.3.1 have a memory leak (wasted computer memory that isn't freed) when users pass a list of strings to a function called `dlpack.to_dlpack`. The bug happens because the code doesn't properly check for error conditions during validation, so it continues running even when it should stop and clean up.

Solution / Mitigation

Update TensorFlow to version 2.2.1 or 2.3.1, which include the fix released in commit 22e07fb204386768e5bcbea563641ea11f96ceb8.

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationTrivial

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-20 CWE-20

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-15192

First tracked: February 15, 2026 at 08:38 PM

Classified by LLM (prompt v3) · confidence: 95%