CVE-2026-49121
Unauthenticated RCE in AI Tensor Engine for ROCm
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amd | ai_tensor_engine_for_rocm | to 0.1.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49121 is a critical unauthenticated remote code execution vulnerability in AI Tensor Engine for ROCm (AITER) versions up to 0.1.14. It exists in the MessageQueue.recv() function within the shm_broadcast.py file, where the software uses Python's pickle module to deserialize data received from a ZMQ SUB socket without any authentication, HMAC, or format validation.
An attacker who can access the writer XPUB endpoint on the cluster network or supply a forged Handle with a malicious remote_subscribe_addr can send a crafted pickle payload. This payload executes arbitrary code simultaneously on every remote reader worker process involved in inference tasks, effectively allowing remote code execution across the cluster.
How can this vulnerability impact me? :
This vulnerability allows attackers with network access to the cluster to execute arbitrary code remotely as the inference worker process. This can lead to the simultaneous compromise of all remote reader workers in the cluster.
- Arbitrary code execution on inference worker processes.
- Potential exfiltration of model weights and sensitive data.
- Lateral movement within the cluster using compromised credentials.
- Compromise of shared GPU clusters or multi-tenant environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is running AI Tensor Engine for ROCm (AITER) version 0.1.14 or earlier, and if the vulnerable MessageQueue.recv() function is exposed via a ZMQ SUB socket without authentication.
Since the vulnerability exploits unauthenticated pickle deserialization on a TCP-bound ZMQ XPUB socket, you can detect suspicious network activity by monitoring connections to the XPUB endpoint, especially from untrusted sources.
Suggested commands to help detect the vulnerability or exploitation attempts include:
- Use netstat or ss to check for listening ZMQ XPUB sockets, e.g., `netstat -tulnp | grep <port>` or `ss -tulnp | grep <port>` where <port> is the XPUB socket port.
- Use tcpdump or Wireshark to capture and analyze network traffic on the XPUB socket port to detect suspicious pickle payloads.
- Check running processes for AITER versions and inspect logs for unexpected remote connections or errors related to pickle deserialization.
- If possible, instrument or audit the MessageQueue.recv() function to log or alert on deserialization attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network exposure and improving validation to prevent exploitation of the unauthenticated remote code execution vulnerability.
- Restrict the XPUB socket bind address to localhost (tcp://127.0.0.1) to prevent remote network access, especially in single-host deployments.
- If multi-host deployment is required, explicitly opt-in and ensure strong network segmentation and access controls to limit who can reach the XPUB endpoint.
- Replace the use of Python's pickle deserialization with a safer serialization method such as msgpack or safetensors to avoid unsafe deserialization.
- If retaining pickle is necessary, implement HMAC-SHA256 verification on the frames to ensure authenticity and integrity before deserialization.
- Monitor network traffic and logs for suspicious activity targeting the XPUB socket and MessageQueue.recv() function.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution, which can lead to arbitrary code execution on inference worker processes and potential exfiltration of model weights and lateral movement within the cluster.
Such unauthorized access and potential data exfiltration could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.