tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl: 1 vulnerabilities (highest severity is: 7.0) #612
Description
Vulnerable Library - tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/16/0e/9408083cb80d85024829eb78aa0aa799ca9f030a348acac35631b5191d4b/tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl
Path to dependency file: /Linux/Python/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/141/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/299/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/457/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/615/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/773/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Found in HEAD commit: bf9b5034b2c35dc796e701683484607b4e0bbde4
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (tensorflow version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-2492 |  High |
7.0 | tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl | Direct | 2.21.0rc0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-2492
Vulnerable Library - tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/16/0e/9408083cb80d85024829eb78aa0aa799ca9f030a348acac35631b5191d4b/tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl
Path to dependency file: /Linux/Python/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/141/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/299/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/457/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/615/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/20260325185414/773/tensorflow-2.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Dependency Hierarchy:
- ❌ tensorflow-2.20.0-cp310-cp310-macosx_12_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: bf9b5034b2c35dc796e701683484607b4e0bbde4
Found in base branch: master
Vulnerability Details
TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TensorFlow. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of plugins. The application loads plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25480.
Publish Date: 2026-02-20
URL: CVE-2026-2492
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution: 2.21.0rc0
Step up your Open Source Security Game with Mend here