CVE-2020-26270
MEDIUMTensorFlow <1.15.5, <2.0.4, <2.1.3, <2.2.2, <2.3.2, <2.4.0 - DoS
Title source: llmDescription
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gp
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3
Scores
CVSS v3
4.4
EPSS
0.0002
EPSS Percentile
5.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Details
CWE
CWE-20
Status
published
Products (4)
google/tensorflow
< 1.15.5
pypi/tensorflow
0 - 1.15.5PyPI
pypi/tensorflow-cpu
0 - 1.15.5PyPI
pypi/tensorflow-gpu
0 - 1.15.5PyPI
Published
Dec 10, 2020
Tracked Since
Feb 18, 2026