{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0897", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2026-01-13T15:59:54.703Z", "datePublished": "2026-01-15T14:09:53.603Z", "dateUpdated": "2026-01-15T16:38:18.772Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Keras", "vendor": "Google", "versions": [{"lessThanOrEqual": "3.13.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sarvesh Patil"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling <span style=\"background-color: rgb(255, 255, 255);\">in </span>the HDF5 weight loading component<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">in </span>Google<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>Keras<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>3.0.0 through 3.13.0<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">on </span>all platforms<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;allows </span>a remote attacker<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;to </span>cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">via </span>a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape<span style=\"background-color: rgb(255, 255, 255);\">.</span><br>"}], "value": "Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component\u00a0in Google\u00a0Keras\u00a03.0.0 through 3.13.0\u00a0on all platforms\u00a0allows a remote attacker\u00a0to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter\u00a0via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape."}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2026-01-15T14:09:53.603Z"}, "references": [{"url": "https://github.com/keras-team/keras/pull/21880"}], "source": {"discovery": "UNKNOWN"}, "title": "Denial of Service in Keras via Excessive Memory Allocation in HDF5 Metadata", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T16:31:40.866475Z", "id": "CVE-2026-0897", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T16:38:18.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0897", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T16:31:40.866475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T16:38:08.610Z"}}], "cna": {"title": "Denial of Service in Keras via Excessive Memory Allocation in HDF5 Metadata", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sarvesh Patil"}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Google", "product": "Keras", "versions": [{"status": "affected", "version": "3.0.0", "versionType": "semver", "lessThanOrEqual": "3.13.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/keras-team/keras/pull/21880"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component\u00a0in Google\u00a0Keras\u00a03.0.0 through 3.13.0\u00a0on all platforms\u00a0allows a remote attacker\u00a0to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter\u00a0via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.", "supportingMedia": [{"type": "text/html", "value": "Allocation of Resources Without Limits or Throttling <span style=\"background-color: rgb(255, 255, 255);\">in </span>the HDF5 weight loading component<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">in </span>Google<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>Keras<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>3.0.0 through 3.13.0<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">on </span>all platforms<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;allows </span>a remote attacker<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;to </span>cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">via </span>a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape<span style=\"background-color: rgb(255, 255, 255);\">.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2026-01-15T14:09:53.603Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0897", "state": "PUBLISHED", "dateUpdated": "2026-01-15T16:38:18.772Z", "dateReserved": "2026-01-13T15:59:54.703Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2026-01-15T14:09:53.603Z", "assignerShortName": "Google"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*", "matchCriteriaId": "792219ED-9845-4AD4-A4D4-0E2C3E377A11", "versionEndIncluding": "3.13.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component\u00a0in Google\u00a0Keras\u00a03.0.0 through 3.13.0\u00a0on all platforms\u00a0allows a remote attacker\u00a0to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter\u00a0via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape."}], "id": "CVE-2026-0897", "lastModified": "2026-01-23T18:35:49.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2026-01-15T14:16:26.890", "references": [{"source": "cve-coordination@google.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/keras-team/keras/pull/21880"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Keras: Keras: Denial of Service via crafted HDF5 weight loading file", "id": "2430027", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430027"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Keras. A remote attacker can cause a Denial of Service (DoS) by providing a specially crafted .keras archive containing a model weights file (model.weights.h5) that declares an extremely large data shape. This can lead to excessive memory allocation, resulting in memory exhaustion and a crash of the Python interpreter."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid loading Keras model archives from untrusted sources. If processing untrusted Keras model archives is unavoidable, ensure they are processed within an isolated and resource-constrained environment to limit the impact of potential memory exhaustion attacks."}, "name": "CVE-2026-0897", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-runtime-adapter-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-runtime-adapter-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/model-transparency-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2026-01-15T14:09:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0897\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0897\nhttps://github.com/keras-team/keras/pull/21880"], "statement": "This vulnerability is rated Important for Red Hat OpenShift AI. A remote attacker can cause a Denial of Service (DoS) by providing a crafted `.keras` archive with an excessively large dataset shape, leading to memory exhaustion. This impacts Red Hat OpenShift AI components that utilize Keras for model handling.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T06:06:46.995418+00:00", "value": {"mitigation_remediation": ["Upgrade Google Keras to a release that addresses the memory allocation issue (consult the official Keras release notes for the earliest patched version).", "Validate model weight archive contents before loading: check dataset shapes and enforce a maximum allowable memory footprint.", "Run the model loading process in a sandboxed or resource\u2011limited environment, using OS\u2011level limits or container cgroups to prevent a single model from exhausting host memory."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Google Keras versions 3.0.0 through 3.13.0 on all supported platforms are affected. The issue resides in the HDF5 weight loading code and does not depend on OS or Python version. Users who load untrusted .keras files or train models that read such files are at risk. Updating to a newer Keras release that includes the fix will eliminate the flaw.", "description_and_impact": "The vulnerability is an uncontrolled resource allocation in Keras 3.0.0\u20133.13.0. A maliciously crafted .keras archive can contain a weight file whose dataset declares an extremely large shape. When the HDF5 weight loading component processes this file it allocates the full amount of memory required, exhausting system resources and causing the Python interpreter to terminate. The result is a denial of service that can be triggered remotely by any party able to supply the model archive.", "risk_and_exploitability": "The CVSS base score is 7.1, and the EPSS probability is below 1%, indicating a low likelihood of exploitation in the wild. The flaw is not yet listed in the CISA KEV catalog. The attack requires delivering a specially crafted model archive to the target\u2019s Keras environment, typically by user\u2011supplied model loading. Since the vulnerability causes memory exhaustion, it can crash the Python process or any process that imports the model. The weak point is the lack of input size checks, corresponding to CWE\u2011770."}}}}, "created": "2026-01-16T13:43:37.837518+00:00", "updated": "2026-04-18T06:15:15.868519+00:00", "vendors": ["keras", "keras$PRODUCT$keras"]}