CVE-2026-7301
Analyzed Analyzed - Analysis Complete
SGLangs Multimodal Runtime RCE via Unsafe Pickle Deserialization

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: CERT/CC

Description
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-7301
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lmsys sglang 0.5.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-7301 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-7301 is a critical Remote Code Execution (RCE) vulnerability in SGLang, an open-source framework for serving large language models and multimodal AI models.

The vulnerability arises because the SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages.

This unsafe deserialization allows unauthenticated attackers to execute arbitrary code on the host running SGLang if the scheduler socket is reachable, typically when configured to listen on all network interfaces.

Impact Analysis

This vulnerability can allow remote attackers to execute arbitrary code on the affected system without any authentication.

Because the scheduler socket binds to all network interfaces by default, attackers can exploit this flaw remotely if the service is exposed to the internet.

Successful exploitation can lead to full compromise of the host, including complete loss of confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by checking if the SGLang multimodal generation runtime scheduler's ROUTER socket is bound to 0.0.0.0, making it accessible on all network interfaces.

You can scan your network or system to see if the scheduler's ZeroMQ ROUTER socket is open and reachable from outside, especially on default ports used by SGLang.

  • Use netstat or ss to check for sockets bound to 0.0.0.0, for example: `netstat -tuln | grep 0.0.0.0` or `ss -tuln | grep 0.0.0.0`.
  • Use nmap to scan for open ports on your host that might correspond to the scheduler socket, e.g., `nmap -p <port> <host>`.
  • Check running SGLang processes and their command-line arguments to see if the scheduler is configured with `--host 0.0.0.0`.
Mitigation Strategies

Immediate mitigation steps include restricting access to the scheduler's ROUTER socket by avoiding binding it to 0.0.0.0.

Configure SGLang to bind the scheduler socket to localhost or a trusted internal IP address instead of all interfaces.

If possible, disable the multimodal runtime or the scheduler component until a patch is available.

Use network-level controls such as firewalls or security groups to block external access to the scheduler's port.

Monitor your systems for any suspicious activity related to the scheduler socket.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7301. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart