{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49121", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-05-27T17:40:12.737Z", "datePublished": "2026-06-01T17:09:18.607Z", "dateUpdated": "2026-06-30T12:09:56.718Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-23T16:16:40.631Z"}, "title": "AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization", "descriptions": [{"lang": "en", "value": "AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker."}], "tags": ["x_open-source"], "datePublic": "2026-05-07T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "type": "CWE"}]}], "affected": [{"defaultStatus": "affected", "vendor": "ROCm", "product": "aiter", "repo": "https://github.com/ROCm/aiter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.14"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "references": [{"url": "https://github.com/ROCm/aiter/issues/3076", "tags": ["issue-tracking"]}, {"url": "https://github.com/ROCm/aiter/pull/3170", "tags": ["issue-tracking"]}, {"url": "https://www.vulncheck.com/advisories/ai-tensor-engine-for-rocm-aiter-unauthenticated-rce-via-messagequeue-recv-pickle-deserialization", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "YU SUN", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"references": [{"url": "https://github.com/ROCm/aiter/issues/3076", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-02T19:05:53.401439Z", "id": "CVE-2026-49121", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T19:06:19.240Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:ai_inference_server:3"], "defaultStatus": "affected", "product": "Red Hat AI Inference Server", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift_ai"], "defaultStatus": "affected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat"}], "datePublic": "2026-06-01T17:09:18.607Z", "descriptions": [{"lang": "en", "value": "A flaw was found in AI Tensor Engine for ROCm (AITER). This vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending a specially crafted data package, known as a pickle payload, to a ZeroMQ (ZMQ) subscriber socket. This exploitation is possible due to a lack of authentication, message integrity checks (HMAC), or format validation in the MessageQueue.recv() function. Successful exploitation can lead to arbitrary code execution on every remote reader worker, posing a critical risk to the system's integrity and confidentiality."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-49121"}, {"name": "RHBZ#2483882", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483882"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49121.json"}], "timeline": [{"lang": "en", "time": "2026-06-01T19:01:30.600Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-01T17:09:18.607Z", "value": "Made public."}], "title": "aiter: AI Tensor Engine for ROCm (AITER): Remote Code Execution via Unauthenticated Pickle Deserialization", "workarounds": [{"lang": "en", "value": "Mitigate this issue by limiting network access to AITER/vLLM inference worker ZMQ endpoints to trusted cluster nodes only. Do not expose XPUB/subscribe ports outside the cluster network.\n\nWhere multi-node ROCm inference is not required, prefer single-node deployments that bind ZMQ to localhost where supported.\n\nUpdate to a fixed AITER release (upstream fix expected in 0.1.15 or later) when provided in updated Red Hat AI Inference Server and Red Hat OpenShift AI container images. Refer to the errata or advisory linked from this CVE page when available."}], "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:09:56.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "aiter: AI Tensor Engine for ROCm (AITER): Remote Code Execution via Unauthenticated Pickle Deserialization", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:ai_inference_server:3"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_ai"], "vendor": "Red Hat", "product": "Red Hat OpenShift AI (RHOAI)", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-06-01T19:01:30.600Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-01T17:09:18.607Z", "value": "Made public."}], "x_adpType": "supplier", "datePublic": "2026-06-01T17:09:18.607Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-49121", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483882", "name": "RHBZ#2483882", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49121.json", "tags": ["x_sadp-csaf-vex"]}], "workarounds": [{"lang": "en", "value": "Mitigate this issue by limiting network access to AITER/vLLM inference worker ZMQ endpoints to trusted cluster nodes only. Do not expose XPUB/subscribe ports outside the cluster network.\n\nWhere multi-node ROCm inference is not required, prefer single-node deployments that bind ZMQ to localhost where supported.\n\nUpdate to a fixed AITER release (upstream fix expected in 0.1.15 or later) when provided in updated Red Hat AI Inference Server and Red Hat OpenShift AI container images. Refer to the errata or advisory linked from this CVE page when available."}], "x_generator": {"engine": "sadp-cli 1.0.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in AI Tensor Engine for ROCm (AITER). This vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending a specially crafted data package, known as a pickle payload, to a ZeroMQ (ZMQ) subscriber socket. This exploitation is possible due to a lack of authentication, message integrity checks (HMAC), or format validation in the MessageQueue.recv() function. Successful exploitation can lead to arbitrary code execution on every remote reader worker, posing a critical risk to the system's integrity and confidentiality."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T03:17:21.026Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-49121", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-02T19:05:53.401439Z"}}}], "references": [{"url": "https://github.com/ROCm/aiter/issues/3076", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T19:05:21.060Z"}}], "cna": {"tags": ["x_open-source"], "title": "AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "YU SUN"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/ROCm/aiter", "vendor": "ROCm", "product": "aiter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.14"}], "defaultStatus": "affected"}], "datePublic": "2026-05-07T00:00:00.000Z", "references": [{"url": "https://github.com/ROCm/aiter/issues/3076", "tags": ["issue-tracking"]}, {"url": "https://github.com/ROCm/aiter/pull/3170", "tags": ["issue-tracking"]}, {"url": "https://www.vulncheck.com/advisories/ai-tensor-engine-for-rocm-aiter-unauthenticated-rce-via-messagequeue-recv-pickle-deserialization", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-23T16:16:40.631Z"}}}, "cveMetadata": {"cveId": "CVE-2026-49121", "state": "PUBLISHED", "dateUpdated": "2026-06-30T03:17:21.026Z", "dateReserved": "2026-05-27T17:40:12.737Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-06-01T17:09:18.607Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amd:aiter:*:*:*:*:*:*:*:*", "matchCriteriaId": "1696F953-D8AC-488D-AC10-83EDC45D0943", "versionEndIncluding": "0.1.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker."}], "id": "CVE-2026-49121", "lastModified": "2026-06-08T14:29:26.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-06-01T19:16:54.180", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Issue Tracking", "Mitigation"], "url": "https://github.com/ROCm/aiter/issues/3076"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/ROCm/aiter/pull/3170"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/ai-tensor-engine-for-rocm-aiter-unauthenticated-rce-via-messagequeue-recv-pickle-deserialization"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Mitigation"], "url": "https://github.com/ROCm/aiter/issues/3076"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{"bugzilla": {"description": "aiter: AI Tensor Engine for ROCm (AITER): Remote Code Execution via Unauthenticated Pickle Deserialization", "id": "2483882", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483882"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.", "A flaw was found in AI Tensor Engine for ROCm (AITER). This vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending a specially crafted data package, known as a pickle payload, to a ZeroMQ (ZMQ) subscriber socket. This exploitation is possible due to a lack of authentication, message integrity checks (HMAC), or format validation in the MessageQueue.recv() function. Successful exploitation can lead to arbitrary code execution on every remote reader worker, posing a critical risk to the system's integrity and confidentiality."], "mitigation": {"lang": "en:us", "value": "Mitigate this issue by limiting network access to AITER/vLLM inference worker ZMQ endpoints to trusted cluster nodes only. Do not expose XPUB/subscribe ports outside the cluster network.\nWhere multi-node ROCm inference is not required, prefer single-node deployments that bind ZMQ to localhost where supported.\nUpdate to a fixed AITER release (upstream fix expected in 0.1.15 or later) when provided in updated Red Hat AI Inference Server and Red Hat OpenShift AI container images. Refer to the errata or advisory linked from this CVE page when available."}, "name": "CVE-2026-49121", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-06-01T17:09:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-49121\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49121\nhttps://github.com/ROCm/aiter/issues/3076\nhttps://github.com/ROCm/aiter/pull/3170\nhttps://www.vulncheck.com/advisories/ai-tensor-engine-for-rocm-aiter-unauthenticated-rce-via-messagequeue-recv-pickle-deserialization"], "statement": "Red Hat AI Inference Server and Red Hat OpenShift AI ship the AI Tensor Engine for ROCm (AITER) Python package as a dependency in ROCm-based vLLM container images. Affected streams embed AITER versions 0.1.5 through 0.1.7.post2, which are within the upstream affected range (0.1.14 and earlier).\nThe flaw is an unauthenticated remote code execution vulnerability in AITER MessageQueue.recv() (shm_broadcast.py), where data received on a ZeroMQ subscriber socket is deserialized with Python pickle without authentication or integrity checks (CWE-502).\nRed Hat rates this issue as Important. Our CVSS score reflects high attack complexity: exploitation requires network access to the inference worker ZMQ XPUB endpoint on the cluster network, or the ability to supply a forged distributed Handle with an attacker-controlled subscribe address. This is not a default remote attack against an unauthenticated internet-facing service.\nEngineering trackers are filed for affected product streams. Updated container images will be released when a fixed AITER version is available and integrated.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "aiter", "source": "cna", "vendor": "ROCm"}, "product": "aiter", "vendor": "rocm"}], "created": "2026-06-01T20:45:25.622761+00:00", "updated": "2026-06-02T20:53:36.740752+00:00", "vendors": ["rocm", "rocm$PRODUCT$aiter"]}