Executive Summary

CVE-2026-49121 is a critical unauthenticated remote code execution vulnerability in AI Tensor Engine for ROCm (AITER) versions up to 0.1.14. It exists in the MessageQueue.recv() function within the shm_broadcast.py file, where the software uses Python's pickle module to deserialize data received from a ZMQ SUB socket without any authentication, HMAC, or format validation.

An attacker who can access the writer XPUB endpoint on the cluster network or supply a forged Handle with a malicious remote_subscribe_addr can send a crafted pickle payload. This payload executes arbitrary code simultaneously on every remote reader worker process involved in inference tasks, effectively allowing remote code execution across the cluster.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with network access to the cluster to execute arbitrary code remotely as the inference worker process. This can lead to the simultaneous compromise of all remote reader workers in the cluster.

• Arbitrary code execution on inference worker processes.
• Potential exfiltration of model weights and sensitive data.
• Lateral movement within the cluster using compromised credentials.
• Compromise of shared GPU clusters or multi-tenant environments.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your system is running AI Tensor Engine for ROCm (AITER) version 0.1.14 or earlier, and if the vulnerable MessageQueue.recv() function is exposed via a ZMQ SUB socket without authentication.

Since the vulnerability exploits unauthenticated pickle deserialization on a TCP-bound ZMQ XPUB socket, you can detect suspicious network activity by monitoring connections to the XPUB endpoint, especially from untrusted sources.

Suggested commands to help detect the vulnerability or exploitation attempts include:

• Use netstat or ss to check for listening ZMQ XPUB sockets, e.g., `netstat -tulnp | grep <port>` or `ss -tulnp | grep <port>` where <port> is the XPUB socket port.
• Use tcpdump or Wireshark to capture and analyze network traffic on the XPUB socket port to detect suspicious pickle payloads.
• Check running processes for AITER versions and inspect logs for unexpected remote connections or errors related to pickle deserialization.
• If possible, instrument or audit the MessageQueue.recv() function to log or alert on deserialization attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network exposure and improving validation to prevent exploitation of the unauthenticated remote code execution vulnerability.

• Restrict the XPUB socket bind address to localhost (tcp://127.0.0.1) to prevent remote network access, especially in single-host deployments.
• If multi-host deployment is required, explicitly opt-in and ensure strong network segmentation and access controls to limit who can reach the XPUB endpoint.
• Replace the use of Python's pickle deserialization with a safer serialization method such as msgpack or safetensors to avoid unsafe deserialization.
• If retaining pickle is necessary, implement HMAC-SHA256 verification on the frames to ensure authenticity and integrity before deserialization.
• Monitor network traffic and logs for suspicious activity targeting the XPUB socket and MessageQueue.recv() function.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated remote code execution, which can lead to arbitrary code execution on inference worker processes and potential exfiltration of model weights and lateral movement within the cluster.

Such unauthorized access and potential data exfiltration could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.

Useful 0 Not Useful 0