HIGH 8.1

CVE-2026-49121: AITER Unauthenticated Remote Code Execution in ROCm Inference

AI Tensor Engine for ROCm (AITER) versions up to 0.1.14 contain a critical flaw that allows attackers to run arbitrary code on inference worker machines without authentication. An attacker who can reach certain network endpoints or forge specific credentials can send a specially crafted message that executes code with the privileges of the inference worker process across multiple nodes simultaneously. This vulnerability requires network access to specific cluster communication channels but bypasses all authentication and validation mechanisms.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-07-06

NVD description (verbatim)

AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

AITER's MessageQueue.recv() function in shm_broadcast.py fails to validate or authenticate incoming messages on a ZMQ SUB socket. The function deserializes untrusted pickle payloads without HMAC validation or format checking. An attacker capable of reaching the writer XPUB endpoint or supplying a forged Handle with an attacker-controlled remote_subscribe_addr can inject a malicious pickle object. Upon deserialization, the payload executes arbitrary code in the context of the inference worker process. The ZMQ SUB-XPUB architecture means a single malicious message can propagate execution across all reader workers in the cluster.

Business impact

Compromise of AITER inference clusters enables attackers to steal model weights, training data, and inferences; inject backdoors into model predictions; corrupt or delete models; or launch further attacks against internal infrastructure. For organizations running ROCm-accelerated AI workloads, this creates risk of intellectual property theft, service disruption, and potential supply-chain contamination if affected models are redistributed. The impact scales with cluster size and the sensitivity of models and data processed.

Affected systems

AMD AITER versions 0.1.14 and earlier are affected. Organizations using ROCm-based inference clusters, particularly those running distributed inference workloads on AMD GPUs, should audit their AITER deployments. The vulnerability is most exploitable in environments where cluster network access is shared or insufficiently segmented from untrusted networks.

Exploitability

The attack requires network access to the ZMQ SUB socket or the ability to forge and inject a Handle with malicious remote_subscribe_addr. In segmented, air-gapped cluster environments, exploitability is lower. However, in cloud-hosted or multi-tenant ROCm clusters, or where cluster networks are accessible from less-trusted zones, the attack surface is substantially higher. No user interaction or special conditions are required once network access is achieved. The attack complexity is rated 'High' primarily due to the requirement to reach specific internal endpoints, but the ease of pickle exploitation once those endpoints are reached is a significant concern.

Remediation

Upgrade AITER to a version newer than 0.1.14 that implements message authentication and validation. Verify against the AMD/ROCm vendor advisory for the exact patched version. Until patches are applied, implement network segmentation to restrict access to ZMQ endpoints to trusted hosts only, monitor inter-worker communication for suspicious pickle deserialization patterns, and consider disabling remote inference features if not actively required.

Patch guidance

Check the AMD ROCm and AITER release notes for versions beyond 0.1.14. Apply patches promptly to all nodes in your AITER clusters. Before patching, test in a non-production environment to ensure compatibility with your inference workloads and any custom configurations. Consider staggered rollouts to avoid service interruption.

Detection guidance

Monitor ZMQ socket activity for unexpected connections to SUB sockets from untrusted IP ranges. Log and alert on deserialization of pickle objects in MessageQueue.recv() if instrumentation is available. Use network taps or host-based monitoring to detect anomalous inter-worker communication patterns. Check for fork() or exec() system calls originating from AITER worker processes that deviate from normal inference patterns. Correlation of these signals across multiple workers may indicate a propagated attack.

Why prioritize this

This vulnerability merits immediate attention due to its combination of high impact (remote code execution as the inference worker), lack of authentication barriers, and potential for cluster-wide exploitation. Although network access is required, the criticality of inference infrastructure and the richness of potential targets in AITER deployments (models, training data, GPU resources) justify treating this as a near-critical risk. Organizations should prioritize patching AITER deployments before addressing lower-severity vulnerabilities.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) reflects remote code execution with no privileges or user interaction required, balanced against the 'High' attack complexity stemming from the need to reach internal cluster endpoints. The vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) captures complete confidentiality, integrity, and availability impact. In practice, organizations with strict network boundaries may experience lower risk; those with less segmentation face substantially higher risk.

Frequently asked questions

Does this vulnerability require the attacker to be on the cluster network?

The attacker must either reach the ZMQ writer XPUB endpoint directly or supply a forged Handle with an attacker-controlled remote_subscribe_addr. In many deployments, this implies network access to the cluster or the ability to compromise cluster member credentials. However, if remote_subscribe_addr can be influenced by an external attacker (e.g., via misconfigured APIs or client libraries), the scope expands beyond the cluster network.

Can this be exploited in a single-node AITER setup?

Single-node deployments are still vulnerable if the ZMQ SUB socket is accessible over the network or if a forged Handle can be injected. The pickle deserialization vulnerability exists regardless of cluster topology. However, multi-node clusters amplify the impact because a single message can trigger code execution across all workers simultaneously.

What is the difference between this vulnerability and standard insecure deserialization?

This combines insecure pickle deserialization (CWE-502) with a complete absence of authentication or message validation. An attacker does not need to compromise credentials or bypass signatures—the endpoint accepts and deserializes untrusted payloads by design. The ZMQ pub-sub pattern means the attacker's payload is automatically distributed to all subscribers.

Is upgrading the only mitigation?

Patching is the permanent solution. Interim mitigations include strict network segmentation, disabling remote inference if unused, monitoring for anomalous ZMQ traffic and process execution, and restricting who can generate or supply Handles. These do not eliminate the vulnerability but can reduce exploitability window.

This analysis is provided for informational purposes. Patch versions, vendor advisories, and timelines should be verified directly with AMD and ROCm project sources. No exploit code or weaponized proof-of-concept has been provided. Organizations should conduct their own risk assessment based on their network architecture, AITER version inventory, and cluster exposure. This vulnerability has not been assigned KEV status at the time of publication. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).