UBUNTU-CVE-2026-12481

Source
https://ubuntu.com/security/CVE-2026-12481
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12481.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-12481
Upstream
  • CVE-2026-12481
Published
2026-07-06T00:00:00Z
Modified
2026-07-06T20:30:49.278628981Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the _raise_for_lambda_deserialization() function fails to enforce the safe-mode guard when safe_mode is set to None, which is the default value when from_config() is called outside of a SafeModeScope context. This logic error conflates None (unset/default-deny) with False (explicitly disabled), bypassing the guard and allowing attacker-controlled marshal bytecode to be deserialized. Affected call sites include keras.layers.deserialize(config), keras.models.clone_model(model), and any direct invocation of Lambda.from_config(config) without an enclosing SafeModeScope(True). This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process.

References

Affected packages

Ubuntu:18.04:LTS / keras

Package

Name
keras
Purl
pkg:deb/ubuntu/keras?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.7-2
2.*
2.1.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-keras",
            "binary_version": "2.1.1-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12481.json"

Ubuntu:20.04:LTS / keras

Package

Name
keras
Purl
pkg:deb/ubuntu/keras?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-keras",
            "binary_version": "2.2.4-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12481.json"