CVE-2026-2492
HIGHCVSS Vector
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TensorFlow. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of plugins. The application loads plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25480.
Analysis
TensorFlow's insecure plugin loading mechanism allows local attackers with low-privileged code execution to escalate privileges and run arbitrary commands with elevated context. The vulnerability stems from the application loading plugins from unprotected directories, enabling privilege escalation on affected systems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all systems running affected TensorFlow versions and assess whether they operate in shared or multi-tenant environments. Within 7 days: Implement network segmentation to restrict local access to TensorFlow systems and disable HDF5 file format support if not operationally required. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today