UBUNTU-CVE-2026-12482

Source
https://ubuntu.com/security/CVE-2026-12482
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12482.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-12482
Upstream
  • CVE-2026-12482
Published
2026-07-14T06:16:00Z
Modified
2026-07-15T19:45:58.953248498Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

A vulnerability in keras-team/keras version 3.12.0 allows an attacker to craft a malicious tar archive that bypasses the filter_safe_tarinfos validation in keras/src/utils/file_utils.py. Specifically, symlink entries are not subjected to the same is_path_in_dir validation as regular file entries, allowing symlinks to be created outside the intended extraction directory. This can lead to symlink-based file read, file overwrite, or directory escape attacks. The issue is particularly impactful on Python 3.10 and 3.11, where filter_safe_tarinfos is the sole defense against tar path traversal. This vulnerability is distinct from CVE-2025-12060 and other previously reported issues.

References

Affected packages

Ubuntu:18.04:LTS / keras

Package

Name
keras
Purl
pkg:deb/ubuntu/keras?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.7-2
2.*
2.1.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-keras",
            "binary_version": "2.1.1-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12482.json"

Ubuntu:20.04:LTS / keras

Package

Name
keras
Purl
pkg:deb/ubuntu/keras?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-keras",
            "binary_version": "2.2.4-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12482.json"