EXECUTIVE SUMMARY:
CVE-2026-0897 with a CVSS score of 7.1 is a memory exhaustion and Denial of Service (DoS) vulnerability in the Keras model loader (KerasFileEditor) component of Google Keras versions >= 3.0.0, <= 3.12.0, >= 3.13.0, < 3.13.2. Specifically, the HDF5 weight loading component fails to validate HDF5 dataset metadata, allowing a remote attacker to craft a malicious .keras model file containing a valid model .weights .h5 file with an extremely large declared shape, causing memory exhaustion and a crash of the Python interpreter upon loading. An attacker can exploit this vulnerability via a network attack vector with low complexity, requiring no privileges or user interaction. By successfully exploiting this vulnerability, an attacker gains the capability to crash any environment or pipeline that loads .keras models, including MLOps backends, training services, model upload endpoints, or automated pipelines, leading to business disruption, data loss, and potential financial consequences. Prerequisites for exploitation include the ability to upload malicious model files to a platform that processes user models.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-0897 with a CVSS score of 7.1 is a memory exhaustion and Denial of Service (DoS) vulnerability in the Keras model loader (KerasFileEditor) component of Google Keras versions >= 3.0.0, <= 3.12.0, >= 3.13.0, < 3.13.2. Specifically, the HDF5 weight loading component fails to validate HDF5 dataset metadata, allowing a remote attacker to craft a malicious .keras model file containing a valid model .weights .h5 file with an extremely large declared shape, causing memory exhaustion and a crash of the Python interpreter upon loading. An attacker can exploit this vulnerability via a network attack vector with low complexity, requiring no privileges or user interaction. By successfully exploiting this vulnerability, an attacker gains the capability to crash any environment or pipeline that loads .keras models, including MLOps backends, training services, model upload endpoints, or automated pipelines, leading to business disruption, data loss, and potential financial consequences. Prerequisites for exploitation include the ability to upload malicious model files to a platform that processes user models.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update keras to version 3.12.1 or version 3.13.2.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mgx6-5cf9-rr43