AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2020-15191: In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to `dlpack.to_dlpack` the expected v

mediumvulnerability

security

Source: NVD/CVE DatabaseSeptember 25, 2020CVE-2020-15191

Summary

TensorFlow versions before 2.2.1 and 2.3.1 have a bug where invalid arguments to `dlpack.to_dlpack` (a function that converts data between formats) cause the code to create null pointers (memory references that point to nothing) without properly checking for errors. This can lead to the program crashing or behaving unpredictably when it tries to use these invalid pointers.

Solution / Mitigation

Update TensorFlow to version 2.2.1 or 2.3.1, which contain the patch for this issue.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-20 CWE-476 CWE-252

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-15191

First tracked: February 15, 2026 at 08:38 PM

Classified by LLM (prompt v3) · confidence: 92%