CVE-2026-0897 in Keras
Summary
by MITRE • 01/15/2026
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/07/2026
The vulnerability CVE-2026-0897 represents a critical resource allocation flaw within the HDF5 weight loading component of Google Keras versions 3.0.0 through 3.13.0. This issue manifests when the framework processes maliciously crafted .keras archive files containing valid model.weights.h5 files with deliberately inflated dataset shapes. The flaw stems from the absence of proper limits or throttling mechanisms during resource allocation operations, creating a pathway for attackers to exploit memory exhaustion conditions that ultimately lead to Python interpreter crashes.
The technical implementation of this vulnerability resides in how Keras handles HDF5 file parsing and memory allocation for dataset dimensions. When the framework encounters a dataset declaration with an extremely large shape attribute within the H5 file structure, it attempts to allocate memory proportional to that declared size without implementing any bounds checking or resource limiting mechanisms. This behavior directly maps to CWE-770, which describes allocation of resources without limits or throttling, and represents a classic example of unchecked memory allocation that can be leveraged for resource exhaustion attacks.
From an operational impact perspective, this vulnerability enables remote attackers to execute successful denial of service attacks against systems running affected Keras versions. The attack vector requires the victim to process a crafted .keras archive file, which typically occurs during model loading operations in machine learning workflows. When successfully exploited, the vulnerability causes the Python interpreter to consume excessive memory resources until system resources are exhausted, resulting in application crashes and service unavailability. The impact extends beyond simple service disruption as it can affect automated ML pipelines, inference servers, and any system that relies on Keras for model loading operations.
The attack surface for this vulnerability encompasses any system that processes .keras archive files through Keras versions within the affected range, including cloud ML platforms, automated training environments, and edge computing devices running machine learning workloads. Attackers can construct malicious archives that appear legitimate to the system while containing datasets with shapes that declare memory requirements far exceeding available system resources. This vulnerability particularly affects environments where model loading occurs in untrusted contexts, such as web applications accepting user-uploaded models or automated systems processing external model files.
Mitigation strategies for CVE-2026-0897 should focus on implementing proper resource limits and input validation within the HDF5 parsing component. The most effective immediate solution involves upgrading to a patched version of Keras that includes bounds checking for dataset shapes and implements reasonable memory allocation limits. Organizations should also consider implementing defensive programming practices such as setting maximum allowable dataset dimensions, implementing memory usage monitoring, and establishing resource quotas for model loading operations. Additionally, the implementation of sandboxing mechanisms for untrusted model files and regular security scanning of model archives can help prevent exploitation of this vulnerability in production environments.
This vulnerability aligns with ATT&CK technique T1499.004 which covers "Utilities: Data Destruction" through resource exhaustion attacks, and represents a specific implementation of the broader category of resource exhaustion vulnerabilities that can be exploited to achieve denial of service conditions. The attack pattern demonstrates how seemingly benign file processing operations can become vectors for system compromise when proper resource management and input validation are absent from the implementation. Organizations should also consider implementing network-level protections such as file type validation and size restrictions for model files to provide additional defense in depth against this class of vulnerability.