CVE-2026-0897

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-0897

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-0897.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-0897

Aliases

GHSA-xfhx-r7ww-5995

Downstream

DEBIAN-CVE-2026-0897

MINI-h5jp-w9f3-8f63

UBUNTU-CVE-2026-0897

Published

2026-01-15T14:16:26.890Z

Modified

2026-01-18T03:45:19.891848Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.

References

https://github.com/keras-team/keras/pull/21880

Affected packages

Git / github.com/keras-team/keras

Affected ranges

Type: GIT
Repo: https://github.com/keras-team/keras
Events: Introduced

9c675a9a45e5e8244163fea82efc6066722608a1

Last affected

986ff971d98e216a89fba38d48a337ed09d6dc44

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.12.0

v3.13.0

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.4.0

v3.4.1

v3.5.0

v3.6.0

v3.7.0

v3.8.0

v3.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-0897.json"