PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7301 SGLang CVE debrief

SGLang's multimodal generation runtime scheduler exposes a ROUTER socket that binds to 0.0.0.0 by default and deserializes incoming messages using pickle.loads(), enabling unauthenticated remote code execution when the service is internet-facing. The vulnerability stems from unsafe deserialization (CWE-502) combined with a permissive network binding, allowing attackers to send crafted pickle payloads that execute arbitrary Python code on the host system. This affects SGLang version 0.5.10 and represents a critical exposure for deployments with publicly accessible scheduler endpoints.

Vendor
SGLang
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

Organizations running SGLang for multimodal AI inference, particularly those with internet-facing deployments or multi-tenant environments. Cloud security teams, ML platform engineers, and infrastructure operators responsible for AI/ML serving infrastructure should prioritize assessment and remediation.

Technical summary

The SGLang multimodal generation runtime scheduler implements a ZeroMQ ROUTER socket that binds to all network interfaces (0.0.0.0) by default. Incoming messages are processed through a sink that calls pickle.loads() without validation, creating a deserialization vulnerability. An unauthenticated remote attacker can send a crafted pickle payload to the exposed socket, achieving arbitrary code execution with the privileges of the SGLang process. The CVSS 3.1 score of 9.8 reflects the network attack vector, low attack complexity, no required privileges, and high impact to confidentiality, integrity, and availability.

Defensive priority

P0-Critical

Recommended defensive actions

  • Immediately restrict network access to SGLang scheduler endpoints using host-based firewalls, security groups, or network ACLs to prevent internet exposure
  • Audit all SGLang deployments to identify any instances with publicly accessible ROUTER sockets on TCP ports used by the scheduler
  • Apply vendor patches when available; monitor the SGLang GitHub repository for security updates addressing unsafe deserialization
  • Implement defense-in-depth by deploying SGLang services within isolated network segments with strict egress controls
  • Review application logs for anomalous pickle deserialization attempts or unexpected network connections to scheduler endpoints
  • Consider replacing pickle-based message serialization with safer alternatives such as JSON or MessagePack with schema validation where feasible
  • Enable comprehensive logging and monitoring for SGLang scheduler processes to detect potential exploitation attempts

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The affected product version (0.5.10) is confirmed through CPE criteria in the NVD data. The technical details regarding pickle deserialization and 0.0.0.0 binding are derived from the CVE description. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) confirms network attack vector with low complexity and no privileges required.

Official resources

CVE-2026-7301 was published on 2026-05-18 and last modified on 2026-05-19. The vulnerability was disclosed through coordinated disclosure with analysis published by security researchers.