CVE-2020-15205: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGr
Summary
TensorFlow versions before 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 have a vulnerability in the `StringNGrams` function where the `data_splits` argument (a parameter controlling how input data is divided) is not properly checked. This lack of validation allows attackers to trigger a heap overflow (a memory error where data overwrites adjacent memory), potentially exposing sensitive data like return addresses that could help bypass ASLR (address space layout randomization, a security technique that randomizes where programs load in memory).
Solution / Mitigation
Update TensorFlow to version 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 or later, where the issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80.
Vulnerability Details
9(critical)
EPSS: 0.5%
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2020-15205
First tracked: February 15, 2026 at 08:38 PM
Classified by LLM (prompt v3) · confidence: 95%