GHSA-xfhx-r7ww-5995

Опубликовано: 15 янв. 2026

Источник: github

Github: Прошло ревью

CVSS4: 7.1

Описание

Google Keras Allocates Resources Without Limits or Throttling in the HDF5 weight loading component

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.12.0 and 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.

Ссылки

Пакеты

Наименование

keras

pip

Затронутые версииВерсия исправления

>= 3.0.0, < 3.12.1

3.12.1

Наименование

keras

pip

Затронутые версииВерсия исправления

= 3.13.0

3.13.1

EPSS

Процентиль: 9%

0.0003

Низкий

7.1 High

CVSS4

CVE ID

CVE-2026-0897

Дефекты

CWE-770

Связанные уязвимости

CVE-2026-0897

CVSS3: 7.5

ubuntu

2 месяца назад

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.