cbcvebase.
CVE-2026-49121
published 2026-06-01

CVE-2026-49121: AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.10%
61.6th percentile
AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.

Affected

4 ranges
VendorProductVersion rangeFixed in
amdaiter<= 0.1.14
rhaiisvllm-rocm-rhel9
rhoaiodh-vllm-rocm-rhel9
rocmaiter<= 0.1.14

Detection & IOCsextracted from sources · hover to see the quote

pathshm_broadcast.py
processMessageQueue.recv()
  • Monitor for inbound connections to ZMQ XPUB/SUB ports on inference worker nodes from untrusted or unexpected sources; any external access to these endpoints should be treated as suspicious.
  • Detect Python pickle deserialization of data received from a ZMQ SUB socket in AITER's shm_broadcast.py (MessageQueue.recv()); alert on pickle.loads() calls operating on network-sourced bytes in this context.
  • Flag AITER package versions 0.1.5 through 0.1.14 (inclusive) in container images, particularly rhaiis/vllm-rocm-rhel9 and rhoai/odh-vllm-rocm-rhel9, as vulnerable to unauthenticated RCE.
  • Alert on forged or unexpected ZMQ Handle objects containing attacker-controlled remote_subscribe_addr fields being supplied to AITER worker processes.
  • ·The ZMQ SUB socket in AITER's MessageQueue has no authentication, HMAC, or format validation, meaning any node that can reach the XPUB endpoint can send arbitrary payloads with no credential requirement.
  • ·Exploitation requires network access to the ZMQ XPUB endpoint on the cluster network, or the ability to supply a forged distributed Handle; this is not a default internet-facing exposure but is critical within cluster networks.
  • ·A successful exploit delivers RCE simultaneously to every remote reader worker process, not just a single node — blast radius is the entire multi-node inference cluster.
  • ·Affected Red Hat container images are rhaiis/vllm-rocm-rhel9 (Red Hat AI Inference Server) and rhoai/odh-vllm-rocm-rhel9 (Red Hat OpenShift AI); single-node deployments binding ZMQ to localhost are not exposed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.