Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch tensorflow for CVE-2026-2492 [HIGH] - branch 3.0-dev" #16038

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Akhila Guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 4 people

SPECS/tensorflow/CVE-2026-2492.patch

@@ -0,0 +1,94 @@
+From aea471bdcb78188fbee20a081e5cebcbbd9d34a9 Mon Sep 17 00:00:00 2001
+From: "A. Unique TensorFlower" <gardener@tensorflow.org>
+Date: Mon, 15 Dec 2025 13:20:46 -0800
+Subject: [PATCH] Disable HDF5 plugin loading when importing h5py in
+ Tensorflow.
+
+Set the HDF5_PLUGIN_PATH environment variable to "disable" before importing h5py to prevent the loading of external HDF5 plugins.
+
+PiperOrigin-RevId: 844896565
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/tensorflow/tensorflow/commit/46e7f7fb144fd11cf6d17c23dd47620328d77082.patch
+---
+ tensorflow/python/keras/engine/training.py     | 3 +++
+ tensorflow/python/keras/keras_parameterized.py | 4 ++++
+ tensorflow/python/keras/saving/hdf5_format.py  | 3 +++
+ tensorflow/python/keras/saving/save.py         | 5 ++++-
+ 4 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/tensorflow/python/keras/engine/training.py b/tensorflow/python/keras/engine/training.py
+index 1e94ca45..182db7b0 100644
+--- a/tensorflow/python/keras/engine/training.py
++++ b/tensorflow/python/keras/engine/training.py
+@@ -83,6 +83,9 @@ from tensorflow.tools.docs import doc_controls
+ 
+ # pylint: disable=g-import-not-at-top
+ try:
++  # Disable loading HDF5 plugins from a default path and prevent ZDI-CAN-25480.
++  # Importing h5py prior to importing tensorflow will restore the old behavior.
++  os.environ['HDF5_PLUGIN_PATH'] = 'disable'
+   import h5py
+ except ImportError:
+   h5py = None
+diff --git a/tensorflow/python/keras/keras_parameterized.py b/tensorflow/python/keras/keras_parameterized.py
+index 054df939..1a44e6b7 100644
+--- a/tensorflow/python/keras/keras_parameterized.py
++++ b/tensorflow/python/keras/keras_parameterized.py
+@@ -17,6 +17,7 @@
+ import collections
+ import functools
+ import itertools
++import os
+ import unittest
+ 
+ from absl.testing import parameterized
+@@ -30,6 +31,9 @@ from tensorflow.python.platform import test
+ from tensorflow.python.util import nest
+ 
+ try:
++  # Disable loading HDF5 plugins from a default path and prevent ZDI-CAN-25480.
++  # Importing h5py prior to importing tensorflow will restore the old behavior.
++  os.environ['HDF5_PLUGIN_PATH'] = 'disable'
+   import h5py  # pylint:disable=g-import-not-at-top
+ except ImportError:
+   h5py = None
+diff --git a/tensorflow/python/keras/saving/hdf5_format.py b/tensorflow/python/keras/saving/hdf5_format.py
+index 1f6bbc43..05a2c928 100644
+--- a/tensorflow/python/keras/saving/hdf5_format.py
++++ b/tensorflow/python/keras/saving/hdf5_format.py
+@@ -34,6 +34,9 @@ from tensorflow.python.platform import tf_logging as logging
+ 
+ # pylint: disable=g-import-not-at-top
+ try:
++  # Disable loading HDF5 plugins from a default path and prevent ZDI-CAN-25480.
++  # Importing h5py prior to importing tensorflow will restore the old behavior.
++  os.environ['HDF5_PLUGIN_PATH'] = 'disable'
+   import h5py
+   HDF5_OBJECT_HEADER_LIMIT = 64512
+ except ImportError:
+diff --git a/tensorflow/python/keras/saving/save.py b/tensorflow/python/keras/saving/save.py
+index eee85923..b9ba0bc2 100644
+--- a/tensorflow/python/keras/saving/save.py
++++ b/tensorflow/python/keras/saving/save.py
+@@ -13,7 +13,7 @@
+ # limitations under the License.
+ # ==============================================================================
+ """Keras model saving code."""
+-
++import os
+ from tensorflow.python import tf2
+ from tensorflow.python.keras.saving import hdf5_format
+ from tensorflow.python.keras.saving import saving_utils
+@@ -25,6 +25,9 @@ from tensorflow.python.keras.utils.io_utils import path_to_string
+ 
+ # pylint: disable=g-import-not-at-top
+ try:
++  # Disable loading HDF5 plugins from a default path and prevent ZDI-CAN-25480.
++  # Importing h5py prior to importing tensorflow will restore the old behavior.
++  os.environ['HDF5_PLUGIN_PATH'] = 'disable'
+   import h5py
+ except ImportError:
+   h5py = None
+-- 
+2.45.4
+

SPECS/tensorflow/tensorflow.spec

@@ -1,7 +1,7 @@
 Summary:        TensorFlow is an open source machine learning framework for everyone.
 Name:           tensorflow
 Version:        2.16.1
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Patch4:         CVE-2024-35195.patch
 Patch5:         CVE-2024-5569.patch
 Patch6:         CVE-2024-6923.patch
 Patch7:         CVE-2026-21441.patch
+Patch8:         CVE-2026-2492.patch
 BuildRequires:  bazel
 BuildRequires:  binutils
 BuildRequires:  build-essential
@@ -105,6 +106,8 @@ popd
 
 popd
 
+patch -p1 < %{PATCH8}
+
 export TF_PYTHON_VERSION=3.12
 ln -s %{_bindir}/python3 %{_bindir}/python
 
@@ -134,6 +137,9 @@ bazel --batch build  //tensorflow/tools/pip_package:build_pip_package
 %{_bindir}/toco_from_protos
 
 %changelog
+* Tue Feb 24 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.16.1-11
+- Patch for CVE-2026-2492
+
 * Tue Jan 13 2026 Aditya Singh <v-aditysing@microsoft.com> - 2.16.1-10
 - Patch for CVE-2026-21441