CVE-2026-7301

Vulnerability

The SGLang multimodal generation runtime scheduler binds a ZeroMQ ROUTER socket to 0.0.0.0 by default. The scheduler contains a sink that calls pickle.loads() on incoming messages without any sanitization. This unsafe deserialization vulnerability affects SGLang v0.5.5 and later when the multimodal runtime is enabled and the scheduler socket is reachable (e.g., via --host 0.0.0.0) [1]. The official SGLang repository shows the code structure under python/sglang/multimodal_gen [2].

Exploitation

An unauthenticated attacker with network access to the exposed scheduler socket can craft a malicious ZeroMQ message containing a serialized pickle payload. For example, a class implementing __reduce__ can execute arbitrary system commands when deserialized by pickle.loads() [1]. No authentication, user interaction, or special privileges are required; the only precondition is that the scheduler socket is reachable over the network.

Impact

Successful exploitation yields remote code execution on the host running SGLang. The attacker gains the privilege level of the SGLang process, which typically runs as the user who started the service. This can lead to full system compromise, including data exfiltration, lateral movement, or installation of malware [1]. The CVSS v3.1 score is 9.8 (Critical).

Mitigation

As of the publication date (2026-05-18), no official patch is available. The vendor did not respond during coordinated disclosure with CERT/CC. Until a fix is released, users should ensure the scheduler socket is not exposed to untrusted networks—for example, by binding to 127.0.0.1 instead of 0.0.0.0, or by using a firewall to restrict access [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.