CVE-2026-2492 — UNKNOWN AI Security Vulnerability

CISO Take

CVE-2026-2492 is a local privilege escalation in TensorFlow via insecure HDF5 plugin loading (CWE-427). While requiring initial local access, shared ML training infrastructure—Jupyter hubs, GPU clusters, multi-tenant model serving environments—dramatically elevates real-world risk. Patch immediately and audit plugin directory permissions on any shared TensorFlow deployment.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. Patch: Apply TensorFlow commit 46e7f7fb144fd11cf6d17c23dd47620328d77082—monitor for an official release tag and prioritize upgrade across all environments. 2. Harden plugin directories: Restrict write permissions on TensorFlow plugin search paths to root/service account only; eliminate world-writable permissions. 3. Isolate workloads: Run TensorFlow jobs in separate containers or VMs per user/team on shared infrastructure—do not allow cross-tenant filesystem access. 4. Least privilege: Service accounts running TensorFlow should have minimal filesystem permissions. 5. Detect: Deploy inotify/auditd rules on TensorFlow plugin directories to alert on unexpected file creation or modification. 6. Audit: Inventory all shared ML compute environments running TensorFlow with HDF5 support and prioritize those with multi-user access.

Classification

Code Execution Auth Bypass Framework RAG Plugin AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0018.002 - Embed Malware AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI Supply Chain Management A.8.2 - AI System Operation and Monitoring A.9.4 - AI system risk management — Operational risk controls

NIST AI RMF

GOVERN-6.1 - Policies and procedures for systematic monitoring and updating of AI systems MANAGE 2.2 - Risk Treatment MANAGE-2.4 - Identified risks are prioritized based on impact and likelihood

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Technical Details

NVD Description

TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TensorFlow. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of plugins. The application loads plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25480.

Exploitation Scenario

An attacker compromises a low-privileged account on a shared GPU training cluster (e.g., via a malicious Jupyter notebook, stolen SSH key, or exploited web-facing ML service). They identify TensorFlow's plugin search path on the local filesystem—a world-writable or user-accessible directory. The attacker drops a crafted shared library (.so) into this path. When a privileged user or automated training pipeline subsequently invokes TensorFlow with HDF5 operations (e.g., loading .h5 model weights or datasets), TensorFlow loads the attacker's malicious plugin, executing arbitrary code in the higher-privileged context. Post-escalation, the attacker can exfiltrate trained models, access proprietary training data, establish persistence, or pivot to the broader ML infrastructure.

Weaknesses (CWE)

CWE-427 Primary

References

Timeline

Published

February 20, 2026

Last Modified

February 23, 2026

First Seen

February 20, 2026