CVE-2026-53805

CRITICAL EPSS 48.0%
Published Jun 17, 20261w ago · Modified Jun 22, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Jun 17, 2026 1w ago
Last Modified Jun 22, 2026 1w ago

Description

NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
48.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

References 4

  • github.com https://github.com/nv-tlabs/GEN3C/commit/db2ffe12ced12ddafcec5e0422ee46ce8520746b
  • github.com https://github.com/nv-tlabs/GEN3C/pull/62
  • github.com https://github.com/nv-tlabs/GEN3C/pull/63
  • vulncheck.com https://www.vulncheck.com/advisories/nvidia-sil-gen3c-unauthenticated-rce-via-pickle-deserialization-in-inference-api

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.