CVE Catalog

CVE-2026-12481

HighCVSS 8.8
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

A vulnerability in Keras version 3.14.0 allows arbitrary code execution due to improper deserialization handling in the `Lambda` layer. The `_raise_for_lambda_deserialization()` function fails to enforce safe-mode when `safe_mode` is `None` (default), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized.

Risk Assessment

An attacker can exploit this vulnerability to execute arbitrary OS-level code in the context of the server or user process, leading to full compromise of the application and potentially the entire system.

Recommendation

Immediately upgrade Keras to version 3.15.0 or later, which includes the fix. Until then, avoid deserializing untrusted layer configurations and explicitly set `safe_mode=True` in `from_config()` calls.

Original NVD description (English source)

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. Specifically, the `_raise_for_lambda_deserialization()` function fails to enforce the safe-mode guard when `safe_mode` is set to `None`, which is the default value when `from_config()` is called outside of a `SafeModeScope` context. This logic error conflates `None` (unset/default-deny) with `False` (explicitly disabled), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized. Affected call sites include `keras.layers.deserialize(config)`, `keras.models.clone_model(model)`, and any direct invocation of `Lambda.from_config(config)` without an enclosing `SafeModeScope(True)`. This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS