Executive Summary
A critical vulnerability (CVE-2026-12481) in Keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. This vulnerability has a CVSS score of 8.8 and can be exploited to achieve OS-level code execution. Affected users must update to a patched version to mitigate this risk.
Technical Analysis
The vulnerability is caused by a logic error in the `_raise_for_lambda_deserialization()` function, which fails to enforce the safe-mode guard when `safe_mode` is set to `None`. This allows attacker-controlled `marshal` bytecode to be deserialized, leading to arbitrary code execution. The affected call sites include `keras.layers.deserialize(config)`, `keras.models.clone_model(model)`, and any direct invocation of `Lambda.from_config(config)` without an enclosing `SafeModeScope(True)`.
How It Gets Exploited
An attacker can exploit this vulnerability by providing a crafted configuration that triggers the deserialization of malicious `marshal` bytecode. This can be done by sending a specially crafted payload to the affected call sites, such as `keras.layers.deserialize(config)` or `keras.models.clone_model(model)`. When the payload is deserialized, the attacker-controlled code will be executed in the context of the server or user process.
Impact Assessment
Keras version 3.14.0 is affected by this vulnerability. An attacker can achieve arbitrary OS-level code execution in the context of the server or user process. The CVSS score for this vulnerability is 8.8, indicating a high severity.
Recommended Actions
To mitigate this vulnerability, users must update to a patched version of Keras. The recommended action is to update to the latest version of Keras, which includes the fix for this vulnerability. Additionally, users should ensure that they are not using affected call sites without proper validation and sanitization of input data.
Sources
- National Vulnerability Database (NVD)
- Huntr