general · MITRE
A vulnerability in keras-team/keras version 3.14.0 allows arbitrary code execution through improper deserialization handling in the Lambda layer. The `_raise_for_lambda_deserialization()` function fails to enforce safe-mode protections when `safe_mode` is set to `None` (its default value), conflating it with an explicit `False` setting. This logic error permits attacker-controlled marshal bytecode to be deserialized. Affected functions include `keras.layers.deserialize()`, `keras.models.clone_model()`, and direct calls to `Lambda.from_config()` outside a `SafeModeScope(True)` context, potentially leading to OS-level code execution in the affected process.
Organizations using Keras in model training pipelines or inference services should assess their exposure to untrusted model configurations. SaaS and machine-learning platforms that accept or clone user-supplied models face direct risk. Defense contractors and regulated entities handling ML workloads should review whether Keras 3.14.0 is present in their supply chain and whether external model sources are deserialized without explicit safe-mode enforcement. Remediation requires updating to a patched version or ensuring `SafeModeScope(True)` wraps all deserialization calls from untrusted sources. An Omniware engagement can scope your ML pipeline controls and deserialization hygiene against CUI handling requirements or SOC 2 constraints.
Source: MITRE/NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-12481
Source: MITRE
All briefings