External risk intelligence

AI Tensor Engine ROCm MessageQueue Pickle Deserialization RCE

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-49121

The vulnerability resides in a ZMQ-based message queue system for AI inference clusters. While network-reachable, these components are typically deployed within private, isolated cluster environments or internal data center networks rather than being exposed directly to the public internet. Public exposure would require unusual network configuration.

Deserialization

Amd Aiter

0.1.14 and earlier

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the AI Tensor Engine for ROCm allows unauthenticated remote attackers to execute arbitrary code by sending a malicious data payload. This could enable attackers to run unauthorized commands on affected systems within a cluster network. The main concern is confirming relevance and exposure.

  • Malicious data can execute unauthorized commands.
  • It impacts systems running AI Tensor Engine for ROCm.
  • Confirm relevance and exposure of AI Tensor Engine.

Attack Path

How an attacker could exploit the issue

An attacker could gain remote code execution by sending a specially crafted message containing a malicious pickle payload to a susceptible AI Tensor Engine for ROCm (AITER) MessageQueue. This could occur if the attacker can reach an XPUB endpoint on the cluster network or forge a Handle with an attacker-controlled address, bypassing any security checks and allowing arbitrary code to run on remote reader workers.

  • Network access to cluster endpoints required.
  • Sending a malicious pickle payload triggers vulnerability.
  • Arbitrary code execution on reader workers.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated remote code execution could impact inference worker processes on every remote reader worker. This occurs when an attacker can reach a specific endpoint or forge a handle, allowing them to send a malicious pickle payload. The vulnerability is present in the MessageQueue.recv() function when no authentication, HMAC, or format validation is applied.

  • Inference worker processes.
  • Network reachable endpoint or forged handle.
  • Arbitrary code execution on readers.

Operational Fix

Recommended remediation, mitigation, and detection steps

The AI Tensor Engine for ROCm (AITER) vulnerability likely impacts teams responsible for AI/ML infrastructure, platform engineering, or those managing GPU compute clusters. The immediate first step is to identify all AITER deployments, confirm their network reachability and criticality, and locate the specific system or application owner responsible for its maintenance and security. A risk-based remediation plan should then be developed, coordinating with the vendor if necessary.

  • Confirm AITER deployment and criticality.
  • Identify system or application owner.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the AI Tensor Engine for ROCm (AITER)?

AITER is a software component used in AI and machine learning infrastructure to manage communication within GPU compute clusters. It facilitates message passing for inference tasks, helping different worker processes coordinate data processing. It is specifically designed for the ROCm open-source software stack, which enables high-performance computing on AMD GPUs.

How does CVE-2026-49121 work?

This vulnerability is classified as CWE-502, or deserialization of untrusted data. The AITER MessageQueue.recv() function processes incoming network messages without validating their format or authenticity. Because it uses the Python pickle module to handle this data, an attacker can send a specially crafted payload that, when deserialized by the system, forces the application to execute arbitrary code.

Do I need network access to exploit this vulnerability?

Yes. An attacker must be able to reach specific ZMQ endpoints on the cluster network to send the malicious pickle payload. Merely having general access to the broader network is not sufficient; the attacker must be able to communicate with the cluster's XPUB endpoint or provide a forged Handle. Legitimate, non-malicious traffic or local processes that do not interact with these network sockets will not trigger this flaw.

Is my AITER cluster at high risk?

According to Halo Surface Signal, this is unlikely for most users. Because AITER components are designed for internal AI inference clusters, they are typically deployed within private, isolated networks rather than exposed to the public internet. However, if your specific network configuration inadvertently makes these internal ZMQ endpoints accessible from untrusted areas, the risk level increases significantly.

What should I do if I use AITER?

Start by auditing your infrastructure to locate all instances of AITER. Once identified, verify their network accessibility to ensure they are properly isolated behind security boundaries and not reachable by unauthorized parties. Identify the owners for these systems, assess the business criticality of the clusters, and coordinate a plan to apply necessary vendor-provided updates or security patches as they become available.

References