CVE-2026-53805
published 2026-06-17CVE-2026-53805: NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
47.9th percentile
NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nv-tlabs | gen3c | < db2ffe12ced12ddafcec5e0422ee46ce8520746b | db2ffe12ced12ddafcec5e0422ee46ce8520746b |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API
cvelistv5·2026-06-17·CVSS 9.3
CVE-2026-53805 [CRITICAL] CWE-502 NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API
NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API
NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.
GHSA
NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deseria
ghsa_unreviewed·2026-06-17
CVE-2026-53805 [CRITICAL] CWE-502 NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deseria
NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.
VulDB
nv-tlabs GEN3C Inference API pickle.loads deserialization
vuldb·2026-06-17
CVE-2026-53805 [CRITICAL] nv-tlabs GEN3C Inference API pickle.loads deserialization
A vulnerability was found in nv-tlabs GEN3C. It has been classified as critical. This affects the function pickle.loads of the component Inference API. The manipulation leads to deserialization.
This vulnerability is listed as CVE-2026-53805. The attack may be initiated remotely. There is no available exploit.
To fix this issue, it is recommended to deploy a patch.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published