HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53805Published Modified CNA VulnCheck

CVE-2026-53805: NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API

NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
db2ffe12ced12ddafcec5e0422ee46ce8520746b
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability exists in NVIDIA Spatial Intelligence Lab's GEN3C inference API server. The /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without any authentication or input validation, allowing a network-accessible attacker to supply a crafted pickle payload containing a __reduce__ gadget. Successful exploitation gives the attacker arbitrary code execution as the inference process. A patched-image rebuild at commit db2ffe12ced12ddafcec5e0422ee46ce8520746b is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53805 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from nv-tlabs/GEN3C. Both pinned-commit and floating-tag image variants are covered.

Available
Triage

HarborGuard scores this finding at CVSS 9.3 (Critical, v4.0) and can weight it against each environment's compliance policy to determine breach-of-threshold routing. Findings that exceed a customer-configured severity threshold are routed to the appropriate team inbox automatically.

Available
Patch

A patched-image rebuild targeting commit db2ffe12ced12ddafcec5e0422ee46ce8520746b is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The inference API server must be reachable over the network; an attacker sends the crafted pickle payload directly to the exposed API port without needing local access.

  • AuthenticationNot required

    The affected endpoints perform no authentication check, so any client that can reach the API port can deliver a malicious payload.

  • Victim interactionNot required

    Exploitation is fully server-side; no user action, click, or session is needed to trigger deserialization.

  • Attack complexityDetail

    The exploit is reliable and condition-free; pickle deserialization executes the attacker-supplied __reduce__ gadget deterministically with no race condition or memory-layout dependency.

Blast Radius

  • Attacker executes arbitrary operating system commands as the inference process user, gaining an interactive foothold inside the container.
  • Attacker reads model weights, inference inputs, and any secrets or credentials mounted into the container filesystem or environment variables.
  • Attacker modifies or deletes model artifacts and cached inference state persisted in the container's writable layer or mounted volumes.
  • Attacker can crash or hang the inference service, causing a denial of service for any workloads depending on the GEN3C inference API.

How HarborGuard Handles This

Available on HarborGuard: any image derived from nv-tlabs/GEN3C at a commit prior to db2ffe12ced12ddafcec5e0422ee46ce8520746b will be flagged at Critical severity on the next scan cycle, which begins within minutes of CVE publication. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the patched commit, execute the configured regression test suite, and open a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Until a rebuild is deployed, customers are advised to restrict network access to the inference API port using network policy rules or egress filtering so that only trusted internal callers can reach /request-inference and /seed-model, and to avoid exposing the inference API on a public or untrusted network interface.

See how HarborGuard automates this

Fix available

db2ffe12ced12ddafcec5e0422ee46ce8520746b
Patch commits
Affected packages
  • nv-tlabs / GEN3C
    < db2ffe12ced12ddafcec5e0422ee46ce8520746b (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References