Description
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
Published: 2026-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an uncontrolled resource allocation in Keras 3.0.0–3.13.0. A maliciously crafted .keras archive can contain a weight file whose dataset declares an extremely large shape. When the HDF5 weight loading component processes this file it allocates the full amount of memory required, exhausting system resources and causing the Python interpreter to terminate. The result is a denial of service that can be triggered remotely by any party able to supply the model archive.

Affected Systems

Google Keras versions 3.0.0 through 3.13.0 on all supported platforms are affected. The issue resides in the HDF5 weight loading code and does not depend on OS or Python version. Users who load untrusted .keras files or train models that read such files are at risk. Updating to a newer Keras release that includes the fix will eliminate the flaw.

Risk and Exploitability

The CVSS base score is 7.1, and the EPSS probability is below 1%, indicating a low likelihood of exploitation in the wild. The flaw is not yet listed in the CISA KEV catalog. The attack requires delivering a specially crafted model archive to the target’s Keras environment, typically by user‑supplied model loading. Since the vulnerability causes memory exhaustion, it can crash the Python process or any process that imports the model. The weak point is the lack of input size checks, corresponding to CWE‑770.

Generated by OpenCVE AI on April 18, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Keras to a release that addresses the memory allocation issue (consult the official Keras release notes for the earliest patched version).
  • Validate model weight archive contents before loading: check dataset shapes and enforce a maximum allowable memory footprint.
  • Run the model loading process in a sandboxed or resource‑limited environment, using OS‑level limits or container cgroups to prevent a single model from exhausting host memory.

Generated by OpenCVE AI on April 18, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xfhx-r7ww-5995 Google Keras Allocates Resources Without Limits or Throttling in the HDF5 weight loading component
History

Fri, 23 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Keras
Keras keras
Vendors & Products Keras
Keras keras

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Important

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
Title Denial of Service in Keras via Excessive Memory Allocation in HDF5 Metadata
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Keras Keras
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-01-15T16:38:18.772Z

Reserved: 2026-01-13T15:59:54.703Z

Link: CVE-2026-0897

cve-icon Vulnrichment

Updated: 2026-01-15T16:38:08.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T14:16:26.890

Modified: 2026-01-23T18:35:49.733

Link: CVE-2026-0897

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-15T14:09:53Z

Links: CVE-2026-0897 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses