PatchSiren cyber security CVE debrief
CVE-2026-0897 Google CVE debrief
CVE-2026-0897 is a HIGH severity vulnerability in Google Keras 3.0.0 through 3.13.0 on all platforms. The vulnerability allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape. This issue is caused by the Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component. The vulnerability has a CVSS score of 7.1 and is considered HIGH severity. The CVE was published on January 15, 2026, and was last modified on June 30, 2026.
- Vendor
- Product
- Keras
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-15
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-15
- Advisory updated
- 2026-06-30
Who should care
Organizations using Google Keras 3.0.0 through 3.13.0 on all platforms should be aware of this vulnerability and take necessary steps to mitigate it. This includes reviewing their inventory of affected systems and applying patches or mitigations as available. Additionally, defenders should monitor for potential exploitation attempts and be prepared to respond to incidents.
Technical summary
The vulnerability is caused by the lack of limits or throttling on resource allocation in the HDF5 weight loading component of Google Keras. This allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter. The vulnerability can be exploited via a crafted .keras archive containing a valid model.weights.h5 file with an extremely large shape declared in its dataset. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it can be exploited to cause a Denial of Service (DoS). Defenders should review their inventory of affected systems and apply patches or mitigations as available.
Recommended defensive actions
- Review inventory of affected Google Keras systems
- Apply patches or mitigations as available
- Monitor for potential exploitation attempts
- Be prepared to respond to incidents
- Consider implementing compensating controls
- Track exceptions and monitor for unusual activity
Evidence notes
The CVE-2026-0897 vulnerability was published on January 15, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 7.1 and is considered HIGH severity. The NVD provides detailed information on the vulnerability, including its CVSS vector and CPE criteria.
Official resources
-
CVE-2026-0897 CVE record
CVE.org
-
CVE-2026-0897 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.