How is CVE-2026-12191 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (required): Any low-privilege local account is sufficient to reach the vulnerable code path. Victim interaction (not-required): No user action or social engineering is needed; the attacker operates independently once local access is established. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-12191?

Reads confidential data accessible to the modeld process, including model inputs and outputs that may contain sensor or environmental data. Modifies persisted or in-memory model state, enabling an attacker to tamper with driving decisions produced by the Openpilot model pipeline. Crashes the modeld process, disrupting the self-driving assistance system and potentially triggering a failsafe or unsafe vehicle state. Full code execution within the modeld process context means the attacker can chain further actions against other local services or files the process can reach.

Back to search

HIGHCVE-2026-12191Published 2026-06-14Modified 2026-06-14CNA VulDB

CVE-2026-12191: Comma AI Openpilot Pickle modeld.py pickle.loads deserialization

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An insecure deserialization vulnerability affects Comma AI Openpilot version 0.11, specifically in the pickle.load/pickle.loads function within selfdrive/modeld/modeld.py. The attack requires local access to the host and a low-privilege account; no network exposure is involved. Successful exploitation gives an attacker full read, write, and crash capability over the affected process, which in a vehicular context means potential tampering with driving model data. No fix version has been published; HarborGuard tracks this advisory and will surface a patched rebuild the moment upstream ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built images derived from or bundling Openpilot 0.11 components. Any image layer containing the affected modeld.py code path is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.5 (HIGH) and weights it against each customer organization's compliance policy to determine routing priority. Triage findings are delivered to the inbox configured for the relevant team inside each customer org, with severity context attached.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Comma AI or the community ships a remediation. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to reach the vulnerable code path.
Victim interactionNot required
No user action or social engineering is needed; the attacker operates independently once local access is established.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

Reads confidential data accessible to the modeld process, including model inputs and outputs that may contain sensor or environmental data.
Modifies persisted or in-memory model state, enabling an attacker to tamper with driving decisions produced by the Openpilot model pipeline.
Crashes the modeld process, disrupting the self-driving assistance system and potentially triggering a failsafe or unsafe vehicle state.
Full code execution within the modeld process context means the attacker can chain further actions against other local services or files the process can reach.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-12191 at this time, HarborGuard monitors the VulDB advisory and Comma AI release channels on every ingest cycle and will surface a patched-image rebuild automatically once a fix is published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will fire without manual intervention. While the fix is pending, recommended compensating controls include applying strict filesystem and process-level isolation (seccomp, AppArmor, or SELinux profiles) to containers running Openpilot components to limit which processes can supply data to modeld, and enforcing least-privilege user contexts so that the low-privilege account barrier described in the CVSS vector is as narrow as possible. Customers can also use HarborGuard policy rules to block promotion of images containing the affected version to production registries until a patched rebuild is confirmed.

See how HarborGuard automates this

Affected packages

Comma AI / Openpilot
0.11

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified