EUVD-2026-36670
GHSA-wp3f-pcm8-3jxw
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local access to the device is required (AV:L) and the attacker needs low privileges to write the pickle file modeld will load (PR:L); deserialization yields full RCE in the modeld process, giving C:H/I:H/A:H.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Insecure deserialization in Comma AI Openpilot 0.11 allows a local authenticated attacker to achieve code execution by supplying a malicious pickle payload to the pickle.load/pickle.loads calls in selfdrive/modeld/modeld.py. The flaw requires local access with low privileges and no public exploit identified at time of analysis, but the vendor reportedly did not respond to coordinated disclosure, leaving the issue unpatched. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have local access to the Openpilot device (CVSS AV:L) with at least low privileges sufficient to write to the file or stream consumed by pickle.load/pickle.loads in selfdrive/modeld/modeld.py (PR:L), and modeld must subsequently load that data - typically at daemon startup or model reload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N, VC:H/VI:H/VA:H) is internally consistent with the description: local access with low privileges yields full impact on the modeld process, which on an Openpilot device effectively controls vehicle actuation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local low-privileged access to a comma device - for example via a prior SSH foothold, a malicious USB-delivered update, or a shared development unit - writes a crafted pickle file to the path that selfdrive/modeld/modeld.py deserializes. When modeld starts (or reloads the model), pickle.load executes the embedded __reduce__ payload as the modeld user, giving the attacker arbitrary code execution inside the process that drives the vehicle's steering and longitudinal control. … |
| Remediation | No vendor-released patch identified at time of analysis - VulDB reports the vendor was contacted but did not respond, and no fix version or commit appears in the supplied references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all deployed Openpilot 0.11 installations and isolate systems that cannot be immediately upgraded. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today