HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49121Published Modified CNA VulnCheck

CVE-2026-49121: AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization

AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated remote code execution vulnerability caused by unsafe pickle deserialization in AI Tensor Engine for ROCm (AITER) versions through 0.1.14. The affected function, MessageQueue.recv() in shm_broadcast.py, accepts arbitrary data from a ZMQ SUB socket without any authentication, HMAC verification, or format validation, meaning any attacker who can reach the exposed endpoint over the network can send a crafted payload. Successful exploitation gives the attacker full code execution as the inference worker process on every connected reader worker in the cluster simultaneously. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle AITER or ROCm components, not just images sourced from public registries.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 9.2 (Critical) and is capable of weighting that score against each customer environment's compliance policy to determine urgency and escalation path. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix version is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ZMQ XPUB or SUB socket over the network; the vulnerable endpoint is exposed as a network-accessible service within the cluster.

  • AuthenticationNot required

    The ZMQ socket accepts connections and data with no authentication, HMAC, or credential check of any kind.

  • Victim interactionNot required

    No user interaction is needed; the deserialization executes automatically when the worker processes the incoming message.

  • Attack complexityDetail

    Exploit reliability is high under normal conditions, though a specific attack path (reaching the writer XPUB endpoint or supplying a forged Handle with an attacker-controlled remote_subscribe_addr) introduces a conditional environmental factor.

Blast Radius

  • The attacker executes arbitrary operating-system commands as the inference worker process, gaining full control of that process's privileges and filesystem access.
  • Because the payload is broadcast, code execution triggers simultaneously on every remote reader worker subscribed to the channel, not just a single node.
  • The attacker can read model weights, inference inputs, outputs, and any secrets or credentials accessible to the worker process.
  • The attacker can modify or corrupt inference outputs, inject poisoned results into downstream consumers, or terminate worker processes to disrupt the inference service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49121 is active across all connected environments, flagging any image that includes AITER at or below version 0.1.14 as Critical. Because no upstream fix exists, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a full rebuild plus regression run plus PR against affected workloads the moment a fix version is published. In the interim, compensating controls are available through HarborGuard network policy tooling: isolating the ZMQ XPUB and SUB ports to a dedicated internal network segment, applying egress filtering to prevent worker nodes from initiating outbound connections to attacker-controlled endpoints, and flagging any image using the shm_broadcast MessageQueue path for manual review before promotion to production. Customers who operate AITER in multi-tenant or internet-adjacent clusters should treat this as a critical-priority finding requiring immediate network-level isolation of the affected service until an upstream patch is available.

See how HarborGuard automates this
Affected packages
  • ROCm / aiter
    ≤ 0.1.14
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References