AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2020-15190: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a

mediumvulnerability

security

Source: NVD/CVE DatabaseSeptember 25, 2020CVE-2020-15190

Summary

TensorFlow versions before 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 have a bug in the `tf.raw_ops.Switch` operation where it tries to access a null pointer (a reference to nothing), causing the program to crash. The problem occurs because the operation outputs two tensors (data structures in machine learning frameworks) but only one is actually created, leaving the other as an undefined reference that shouldn't be accessed.

Solution / Mitigation

Update to TensorFlow version 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 or later. The issue is patched in commit da8558533d925694483d2c136a9220d6d49d843c.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-20 CWE-476 CWE-476

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-15190

First tracked: February 15, 2026 at 08:38 PM

Classified by LLM (prompt v3) · confidence: 92%