CVE-2026-12191
Received Received - Intake
Deserialization Flaw in Comma AI Openpilot

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: VulDB

Description
A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12191
EUVD
EUVD-2026-36670
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comma_ai openpilot 0.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Comma AI Openpilot version 0.11, specifically in the Pickle Module within the file selfdrive/modeld/modeld.py. It involves the use of the pickle.load and pickle.loads functions, which are vulnerable to manipulation that leads to deserialization attacks. Such attacks can occur only if the attacker has local access to the system.

Impact Analysis

The vulnerability allows an attacker with local access to manipulate the deserialization process, potentially leading to unauthorized code execution or other malicious actions. According to the CVSS v3.1 score of 7.8, the impact includes high confidentiality, integrity, and availability risks, meaning sensitive data could be exposed or altered, and system functionality could be disrupted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart