{ "threat_severity" : "Important", "public_date" : "2026-01-15T14:09:53Z", "bugzilla" : { "description" : "Keras: Keras: Denial of Service via crafted HDF5 weight loading file", "id" : "2430027", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2430027" }, "cvss3" : { "cvss3_base_score" : "7.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.", "A flaw was found in Keras. A remote attacker can cause a Denial of Service (DoS) by providing a specially crafted .keras archive containing a model weights file (model.weights.h5) that declares an extremely large data shape. This can lead to excessive memory allocation, resulting in memory exhaustion and a crash of the Python interpreter." ], "statement" : "This vulnerability is rated Important for Red Hat OpenShift AI. A remote attacker can cause a Denial of Service (DoS) by providing a crafted `.keras` archive with an excessively large dataset shape, leading to memory exhaustion. This impacts Red Hat OpenShift AI components that utilize Keras for model handling.", "affected_release" : [ { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3782", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-modelmesh-runtime-adapter-rhel9:1772094445" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3782", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:1772093304" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3782", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1772093283" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3782", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:1772093300" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3782", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:1772093272" }, { "product_name" : "Red Hat OpenShift AI 3.3", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3713", "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9", "package" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:1771502897" }, { "product_name" : "Red Hat OpenShift AI 3.3", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3713", "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9", "package" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1771502844" }, { "product_name" : "Red Hat OpenShift AI 3.3", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3713", "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9", "package" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:1771502910" }, { "product_name" : "Red Hat OpenShift AI 3.3", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3713", "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9", "package" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:1771502884" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4271", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/model-transparency-rhel9:1772614635" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-agent-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-router-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-storage-initializer-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-modelmesh-runtime-adapter-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-0897\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0897\nhttps://github.com/keras-team/keras/pull/21880" ], "name" : "CVE-2026-0897", "mitigation" : { "value" : "To mitigate this issue, avoid loading Keras model archives from untrusted sources. If processing untrusted Keras model archives is unavoidable, ensure they are processed within an isolated and resource-constrained environment to limit the impact of potential memory exhaustion attacks.", "lang" : "en:us" }, "csaw" : false }