GHSA-mgx6-5cf9-rr43: Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)
Summary
Keras has a critical vulnerability in its model loader (KerasFileEditor) that allows attackers to cause a Denial of Service (DoS, where a system becomes unusable) by uploading malicious .keras files. An attacker can craft a small .keras file (100-400 KB) that declares an extremely large dataset shape in its HDF5 weight file (a binary format for storing weights in neural networks), but stores only a few bytes of actual data. When Keras loads this file, it attempts to allocate petabytes of RAM based on the declared shape, immediately crashing the system and killing any applications processing the model.
Vulnerability Details
EPSS: 0.0%
Yes
May 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://github.com/advisories/GHSA-mgx6-5cf9-rr43
First tracked: May 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%