CVE-2026-12481
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk32th percentile — higher than 32% of all known CVEs
Summary
A vulnerability in Keras version 3.14.0 allows arbitrary code execution due to improper deserialization handling in the `Lambda` layer. The `_raise_for_lambda_deserialization()` function fails to enforce safe-mode when `safe_mode` is `None` (default), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized.
Risk Assessment
An attacker can exploit this vulnerability to execute arbitrary OS-level code in the context of the server or user process, leading to full compromise of the application and potentially the entire system.
Recommendation
Immediately upgrade Keras to version 3.15.0 or later, which includes the fix. Until then, avoid deserializing untrusted layer configurations and explicitly set `safe_mode=True` in `from_config()` calls.
Original NVD description (English source)
A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. Specifically, the `_raise_for_lambda_deserialization()` function fails to enforce the safe-mode guard when `safe_mode` is set to `None`, which is the default value when `from_config()` is called outside of a `SafeModeScope` context. This logic error conflates `None` (unset/default-deny) with `False` (explicitly disabled), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized. Affected call sites include `keras.layers.deserialize(config)`, `keras.models.clone_model(model)`, and any direct invocation of `Lambda.from_config(config)` without an enclosing `SafeModeScope(True)`. This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process.

