CVE-2026-2492: security flaw enables exploitation

CISO Take

CVE-2026-2492 is a local privilege escalation in TensorFlow via insecure HDF5 plugin loading (CWE-427). While requiring initial local access, shared ML training infrastructure—Jupyter hubs, GPU clusters, multi-tenant model serving environments—dramatically elevates real-world risk. Patch immediately and audit plugin directory permissions on any shared TensorFlow deployment.

What is the risk?

Medium-High in shared or multi-tenant ML environments; Low-Medium in isolated single-user deployments. The local attack vector is the key constraint—an attacker must already have low-privileged code execution. However, in AI/ML contexts, that bar is commonly cleared via compromised Jupyter notebooks, CI/CD pipeline runners, or shared GPU clusters where multiple teams operate. Privilege escalation in these environments can pivot to model theft, training data access, or broader infrastructure compromise.

How severe is it?

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch: Apply TensorFlow commit 46e7f7fb144fd11cf6d17c23dd47620328d77082—monitor for an official release tag and prioritize upgrade across all environments.
Harden plugin directories: Restrict write permissions on TensorFlow plugin search paths to root/service account only; eliminate world-writable permissions.
Isolate workloads: Run TensorFlow jobs in separate containers or VMs per user/team on shared infrastructure—do not allow cross-tenant filesystem access.
Least privilege: Service accounts running TensorFlow should have minimal filesystem permissions.
Detect: Deploy inotify/auditd rules on TensorFlow plugin directories to alert on unexpected file creation or modification.
Audit: Inventory all shared ML compute environments running TensorFlow with HDF5 support and prioritize those with multi-user access.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework RAG Plugin AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0018.002 - Embed Malware AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI Supply Chain Management A.8.2 - AI System Operation and Monitoring A.9.4 - AI system risk management — Operational risk controls

NIST AI RMF

GOVERN-6.1 - Policies and procedures for systematic monitoring and updating of AI systems MANAGE 2.2 - Risk Treatment MANAGE-2.4 - Identified risks are prioritized based on impact and likelihood

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-2492?

CVE-2026-2492 is a local privilege escalation in TensorFlow via insecure HDF5 plugin loading (CWE-427). While requiring initial local access, shared ML training infrastructure—Jupyter hubs, GPU clusters, multi-tenant model serving environments—dramatically elevates real-world risk. Patch immediately and audit plugin directory permissions on any shared TensorFlow deployment.

Is CVE-2026-2492 actively exploited?

No confirmed active exploitation of CVE-2026-2492 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2492?

1. Patch: Apply TensorFlow commit 46e7f7fb144fd11cf6d17c23dd47620328d77082—monitor for an official release tag and prioritize upgrade across all environments. 2. Harden plugin directories: Restrict write permissions on TensorFlow plugin search paths to root/service account only; eliminate world-writable permissions. 3. Isolate workloads: Run TensorFlow jobs in separate containers or VMs per user/team on shared infrastructure—do not allow cross-tenant filesystem access. 4. Least privilege: Service accounts running TensorFlow should have minimal filesystem permissions. 5. Detect: Deploy inotify/auditd rules on TensorFlow plugin directories to alert on unexpected file creation or modification. 6. Audit: Inventory all shared ML compute environments running TensorFlow with HDF5 support and prioritize those with multi-user access.

What systems are affected by CVE-2026-2492?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML infrastructure, data preprocessing pipelines, ML notebooks (Jupyter/JupyterHub), CI/CD ML pipelines.

What is the CVSS score for CVE-2026-2492?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML infrastructuredata preprocessing pipelinesML notebooks (Jupyter/JupyterHub)CI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.001 Malicious Package

AML.T0018.002 Embed Malware

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2, A.8.2, A.9.4

NIST AI RMF: GOVERN-6.1, MANAGE 2.2, MANAGE-2.4

OWASP LLM Top 10: LLM03:2025, LLM05

What are the technical details?

Original Advisory

TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TensorFlow. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of plugins. The application loads plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25480.

Exploitation Scenario

An attacker compromises a low-privileged account on a shared GPU training cluster (e.g., via a malicious Jupyter notebook, stolen SSH key, or exploited web-facing ML service). They identify TensorFlow's plugin search path on the local filesystem—a world-writable or user-accessible directory. The attacker drops a crafted shared library (.so) into this path. When a privileged user or automated training pipeline subsequently invokes TensorFlow with HDF5 operations (e.g., loading .h5 model weights or datasets), TensorFlow loads the attacker's malicious plugin, executing arbitrary code in the higher-privileged context. Post-escalation, the attacker can exfiltrate trained models, access proprietary training data, establish persistence, or pivot to the broader ML infrastructure.

Weaknesses (CWE)

CWE-427 Uncontrolled Search Path Element Primary

CWE-427 — Uncontrolled Search Path Element: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.