SCA: security update for tensorflow, tensorflow-cpu, tensorflow-gpu (GHSA-hhvc-g5hv-48c6)

medium Tenable Self-Hosted Container Security Plugin ID 415780

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor
created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an
integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If
the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what
is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes
a segmentation fault. This is because the allocator used to return the buffer data is not marked as
returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions
1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. (CVE-2020-26268)

See Also

https://github.com/advisories/GHSA-hhvc-g5hv-48c6

Plugin Details

Severity: Medium

ID: 415780

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.1

Percentile: 52.96

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 3.6

Temporal Score: 2.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2020-26268

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/10/2020

Vulnerability Publication Date: 12/10/2020

Reference Information

CVE: CVE-2020-26268

cwe: CWE-471