CVE-2026-0897
Published: 15 January 2026
Summary
CVE-2026-0897 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Keras Keras. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-0897 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) in the HDF5 weight loading component of Google Keras versions 3.0.0 through 3.13.0, affecting all platforms. The issue enables a remote attacker to trigger a Denial of Service (DoS) condition through memory exhaustion and a crash of the Python interpreter. This occurs via a crafted .keras archive that includes a valid model.weights.h5 file where the dataset declares an extremely large shape.
Any remote attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation involves tricking a target into loading the malicious .keras archive, resulting in unbounded memory allocation during HDF5 dataset processing, which exhausts system resources and crashes the Python interpreter.
A pull request addressing the issue is available at https://github.com/keras-team/keras/pull/21880, providing details on the patch for mitigation in affected Keras versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2735
Vulnerability details
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of…
more
the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: keras
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct exploitation of Keras application to trigger resource exhaustion and interpreter crash (DoS).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against denial-of-service attacks via unbounded memory allocation from crafted large-shape datasets in Keras HDF5 loading.
Ensures availability of critical resources like memory by preventing exhaustion during processing of malicious .keras archives.
Remediates the specific flaw in Keras HDF5 weight loading through timely identification, reporting, and patching as provided in the available pull request.