CVE-2026-7301
SGLangs Multimodal Runtime RCE via Unsafe Pickle Deserialization
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lmsys | sglang | 0.5.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7301 is a critical Remote Code Execution (RCE) vulnerability in SGLang, an open-source framework for serving large language models and multimodal AI models.
The vulnerability arises because the SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages.
This unsafe deserialization allows unauthenticated attackers to execute arbitrary code on the host running SGLang if the scheduler socket is reachable, typically when configured to listen on all network interfaces.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary code on the affected system without any authentication.
Because the scheduler socket binds to all network interfaces by default, attackers can exploit this flaw remotely if the service is exposed to the internet.
Successful exploitation can lead to full compromise of the host, including complete loss of confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the SGLang multimodal generation runtime scheduler's ROUTER socket is bound to 0.0.0.0, making it accessible on all network interfaces.
You can scan your network or system to see if the scheduler's ZeroMQ ROUTER socket is open and reachable from outside, especially on default ports used by SGLang.
- Use netstat or ss to check for sockets bound to 0.0.0.0, for example: `netstat -tuln | grep 0.0.0.0` or `ss -tuln | grep 0.0.0.0`.
- Use nmap to scan for open ports on your host that might correspond to the scheduler socket, e.g., `nmap -p <port> <host>`.
- Check running SGLang processes and their command-line arguments to see if the scheduler is configured with `--host 0.0.0.0`.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the scheduler's ROUTER socket by avoiding binding it to 0.0.0.0.
Configure SGLang to bind the scheduler socket to localhost or a trusted internal IP address instead of all interfaces.
If possible, disable the multimodal runtime or the scheduler component until a patch is available.
Use network-level controls such as firewalls or security groups to block external access to the scheduler's port.
Monitor your systems for any suspicious activity related to the scheduler socket.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-7301 affects compliance with common standards and regulations such as GDPR or HIPAA.