Source: tensorflow Version: 2.14.1+dfsg-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for tensorflow. CVE-2026-2492[0]: | TensorFlow HDF5 Library Uncontrolled Search Path Element Local | Privilege Escalation Vulnerability. This vulnerability allows local | attackers to escalate privileges on affected installations of | TensorFlow. An attacker must first obtain the ability to execute | low-privileged code on the target system in order to exploit this | vulnerability. The specific flaw exists within the handling of | plugins. The application loads plugins from an unsecured location. | An attacker can leverage this vulnerability to escalate privileges | and execute arbitrary code in the context of a target user. Was ZDI- | CAN-25480. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2492 https://www.cve.org/CVERecord?id=CVE-2026-2492 [1] https://www.zerodayinitiative.com/advisories/ZDI-26-116/ [2] https://github.com/tensorflow/tensorflow/commit/46e7f7fb144fd11cf6d17c23dd47620328d77082 Regards, Salvatore
