AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2020-26266: In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code

mediumvulnerability

security

Source: NVD/CVE DatabaseDecember 10, 2020CVE-2020-26266

Summary

CVE-2020-26266 is a vulnerability in TensorFlow where saved models can accidentally use uninitialized values (memory locations that haven't been set to a starting value) during execution because certain floating point data types weren't properly initialized in the Eigen library (a math processing component). This is a use of uninitialized resource (CWE-908) type bug that could lead to unpredictable behavior when running affected models.

Solution / Mitigation

This vulnerability is fixed in TensorFlow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. Users should update to one of these patched versions.

Vulnerability Details

CVSS Score

4.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-908 CWE-908

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-26266

First tracked: February 15, 2026 at 08:38 PM

Classified by LLM (prompt v3) · confidence: 95%