Description
AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.
Published: 2026-06-01
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AI Tensor Engine for ROCm (AITER) contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py. The flaw permits an attacker to craft a malicious pickle payload that is sent to a ZMQ SUB socket without any authentication, HMAC, or format validation. Upon receipt, the worker process deserializes the pickle payload and executes arbitrary code, potentially compromising the inference worker or any remote reader operating within the cluster.

Affected Systems

All deployments of ROCm:aiter using version 0.1.14 or earlier. The vulnerability is present in the MessageQueue.recv() implementation of shm_broadcast.py and affects any configuration that exposes the XPUB endpoint on the cluster network or accepts forged handles with attacker-controlled subscribe addresses.

Risk and Exploitability

The CVSS score of 9.2 classifies this as critical, exposing the system to arbitrary code execution with a local privilege escalation or full system compromise risk. No EPSS score is available, and the vulnerability is not yet listed in CISA KEV. Attackers would need network access to the XPUB endpoint or the ability to supply a forged handle; both conditions are likely met in an internal or improperly isolated cluster environment.

Generated by OpenCVE AI on June 1, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched version of AITER that addresses the pickle deserialization issue (e.g., 0.1.15 or later).
  • Configure the AITensor Engine to restrict access to the XPUB endpoint, ensuring only trusted nodes can publish to the ZMQ sockets.
  • Enable authentication and HMAC verification on ZMQ sockets or implement input validation to reject non‑pickle or malformed payloads before deserialization.

Generated by OpenCVE AI on June 1, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Amd
Amd aiter
CPEs cpe:2.3:a:amd:aiter:*:*:*:*:*:*:*:*
Vendors & Products Amd
Amd aiter

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Rocm
Rocm aiter
Vendors & Products Rocm
Rocm aiter

Tue, 02 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.
Title AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amd Aiter
Rocm Aiter
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T19:06:19.240Z

Reserved: 2026-05-27T17:40:12.737Z

Link: CVE-2026-49121

cve-icon Vulnrichment

Updated: 2026-06-02T19:05:21.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:54.180

Modified: 2026-06-08T14:29:26.707

Link: CVE-2026-49121

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-01T17:09:18Z

Links: CVE-2026-49121 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:36Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data