Update Python packages to handle CVEs

ML-Frameworks/pytorch-aarch64/CHANGELOG.md

@@ -20,6 +20,9 @@ where `YY` is the year, and `MM` the month of the increment.
 ### Removed
 
 ### Fixed
+ - Updates Python packages to address known vulnerabilies with a high CVSS score:
+   - Updates `urllib` to 2.6.3 as a mitigation for CVE-2026-21441.
+   - Updates `wheel` to 0.46.2 as a mitigation for CVE-2026-24049.
 
 ## [r26.02] 2026-02-09
 https://github.com/ARM-software/Tool-Solutions/tree/r26.02

ML-Frameworks/pytorch-aarch64/Dockerfile

@@ -42,10 +42,10 @@ ENV PATH="/home/$DOCKER_USER/.venv/bin:${PATH}"
 # Install uv for quicker package installations
 RUN pip install uv==0.9.29
 
-# Update to newer pip/setuptools/wheel (setuptools >= 70.0.0 due to CVE-2024-6345
-# and CVE-2025-47273, wheel >= 0.38.0 due to CVE-2022-40898) and delete old system
-# version (we essentially use apt:python3-pip to bootstrap pip)
-RUN uv pip install --upgrade pip~=25.2 setuptools~=78.1.1 wheel~=0.45.1
+# Update to newer pip/setuptools/wheel:
+#  - setuptools >= 70.0.0 due to CVE-2024-6345 and CVE-2025-47273
+#  - wheel >= 0.38.0 due to CVE-2022-40898 and >= 0.46.2 due to CVE-2026-24049
+RUN uv pip install --upgrade pip~=26.0 setuptools~=78.1.1 wheel~=0.46.2
 
 # Install non-torch requirements
 COPY --chown=$DOCKER_USER:$DOCKER_USER requirements.txt .

ML-Frameworks/pytorch-aarch64/requirements.txt

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2024, 2025 Arm Limited and affiliates.
+# SPDX-FileCopyrightText: Copyright 2024-2026 Arm Limited and affiliates.
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -37,4 +37,4 @@ tqdm~=4.66.5
 transformers~=4.55.2  # >= 4.50.0 due to CVE-2025-2099
 typing_extensions~=4.12.2
 tzdata==2024.2
-urllib3~=2.2.3
+urllib3~=2.6.3 # >= 2.6.3 due to CVE-2026-21441

ML-Frameworks/tensorflow-aarch64/CHANGELOG.md

@@ -20,6 +20,9 @@ where `YY` is the year, and `MM` the month of the increment.
 ### Removed
 
 ### Fixed
+ - Updates Python packages to address known vulnerabilies with a high CVSS score:
+   - Updates `urllib` to 2.6.3 as a mitigation for CVE-2025-66418, CVE-2025-66471, and CVE-2026-21441.
+   - Updates `wheel` to 0.46.2 as a mitigation for CVE-2026-24049.
 
 ## [r26.02] 2026-02-09
 https://github.com/ARM-software/Tool-Solutions/tree/r26.02

ML-Frameworks/tensorflow-aarch64/Dockerfile

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2020-2025 Arm Limited and affiliates.
+# SPDX-FileCopyrightText: Copyright 2020-2026 Arm Limited and affiliates.
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -82,10 +82,10 @@ RUN python -m venv /home/$DOCKER_USER/.venv
 # Make the venv python/pip first on PATH for all subsequent layers and at runtime
 ENV PATH="/home/$DOCKER_USER/.venv/bin:$PATH"
 
-# Update to newer pip/setuptools/wheel (setuptools >= 70.0.0 due to CVE-2024-6345
-# and CVE-2025-47273, wheel >= 0.38.0 due to CVE-2022-40898) and delete old system
-# version (we essentially use apt:python3-pip to bootstrap pip)
-RUN pip install --upgrade pip~=25.2 setuptools~=78.1.1 wheel~=0.45.1
+# Update to newer pip/setuptools/wheel:
+#  - setuptools >= 70.0.0 due to CVE-2024-6345 and CVE-2025-47273
+#  - wheel >= 0.38.0 due to CVE-2022-40898 and >= 0.46.2 due to CVE-2026-24049
+RUN pip install --upgrade pip~=26.0 setuptools~=78.1.1 wheel~=0.46.2
 
 # Check TENSORFLOW_WHEEL was set and copy
 RUN test -n "$TENSORFLOW_WHEEL"

ML-Frameworks/tensorflow-aarch64/requirements.txt

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and affiliates.
+# SPDX-FileCopyrightText: Copyright 2025, 2026 Arm Limited and affiliates.
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -18,3 +18,4 @@ tokenizers~=0.21.0
 tqdm~=4.67.1
 transformers~=4.53.0
 tzdata==2025.1
+urllib3~=2.6.3 # >= 2.6.0 due to CVE-2025-66418 and CVE-2025-66471, and >= 2.6.3 due to CVE-2026-21441