Cyber Resilience

CVE-2026-0897

HighDDoS

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0897 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Keras Keras. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-0897 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) in the HDF5 weight loading component of Google Keras versions 3.0.0 through 3.13.0, affecting all platforms. The issue enables a remote attacker to trigger a Denial of Service (DoS) condition through memory exhaustion and a crash of the Python interpreter. This occurs via a crafted .keras archive that includes a valid model.weights.h5 file where the dataset declares an extremely large shape.

Any remote attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation involves tricking a target into loading the malicious .keras archive, resulting in unbounded memory allocation during HDF5 dataset processing, which exhausts system resources and crashes the Python interpreter.

A pull request addressing the issue is available at https://github.com/keras-team/keras/pull/21880, providing details on the patch for mitigation in affected Keras versions.

EU & UK References

Vulnerability details

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of…

more

the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: keras

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables direct exploitation of Keras application to trigger resource exhaustion and interpreter crash (DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1550Same product: Keras Keras
CVE-2026-1669Same product: Keras Keras
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2025-0189Shared CWE-770
CVE-2021-47791Shared CWE-770

Affected Assets

keras
keras
3.0.0 — 3.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects against denial-of-service attacks via unbounded memory allocation from crafted large-shape datasets in Keras HDF5 loading.

prevent

Ensures availability of critical resources like memory by preventing exhaustion during processing of malicious .keras archives.

prevent

Remediates the specific flaw in Keras HDF5 weight loading through timely identification, reporting, and patching as provided in the available pull request.

References