CVE-2020-26266— Uninitialized memory access in Eigen types in TensorFlow
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-26266
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Uninitialized memory access in Eigen types in TensorFlow
Source: NVD (National Vulnerability Database)
Vulnerability Description
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对未经初始化资源的使用
Source: NVD (National Vulnerability Database)
Vulnerability Title
Google TensorFlow 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 TensorFlow存在缓冲区错误漏洞,该漏洞源于张量缓冲区填充了该类型的默认值,却忘记了默认初始化Eigen中的量化浮点类型。攻击者可利用该漏洞导致缓冲区溢出。以下产品及版本受到影响:1.15.5、2.0.4、2.1.3、2.2.2、2.3.2、2.4.0。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| tensorflow | tensorflow | < 1.15.5 | - |
II. Public POCs for CVE-2020-26266
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-26266
请登录查看更多情报信息。
Same Patch Batch · tensorflow · 2020-12-10 · 6 CVEs total
| CVE-2020-26271 | 4.4 MEDIUM | Heap out of bounds access in MakeEdge in TensorFlow |
| CVE-2020-26270 | 4.4 MEDIUM | CHECK-fail in LSTM with zero-length input in TensorFlow |
| CVE-2020-26268 | 4.4 MEDIUM | Write to immutable memory region in TensorFlow |
| CVE-2020-26267 | 4.4 MEDIUM | Lack of validation in data format attributes in TensorFlow |
| CVE-2020-26269 | Heap out of bounds read in filesystem glob matching in TensorFlow |
IV. Related Vulnerabilities
Same product: tensorflow
Same vendor: tensorflow
- CVE-2026-2492
TensorFlow HDF5 Library Uncontrolled Search Path Element Loc - CVE-2023-33976
TensorFlow segfault in array_ops.upper_bound - CVE-2024-3660
Arbitrary code injection vulnerability in Keras framework < - CVE-2023-25661
Denial of Service in TensorFlow - CVE-2023-25660
TensorFlow vulnerable to seg fault in `tf.raw_ops.Print`
Same weakness: CWE-908
- CVE-2026-7141
vllm KV Block kv_cache_interface.py has_mamba_layers uniniti - CVE-2026-26175
Windows Boot Manager Security Feature Bypass Vulnerability - CVE-2026-34543
OpenEXR: Heap information disclosure in PXR24 decompression - CVE-2026-27496
n8n has In-Process Memory Disclosure in its Task Runner - CVE-2025-12736
multimedia_audio_standard has an insecure storage of sensiti
V. Comments for CVE-2020-26266
No comments yet