CISA alerts on SGLang pickle deserialization RCE

SGLang, an open-source framework for serving large language and multimodal models, contains unsafe pickle deserialization flaws that can enable remote code execution when certain components or scripts are active.

Technical details: The issues are CVE-2026-3059, CVE-2026-3060, and CVE-2026-3989. CVE-2026-3059 affects the multimodal generation module where the ZMQ broker deserializes untrusted input using pickle.loads() without authentication, enabling unauthenticated remote code execution. CVE-2026-3060 affects the encoder parallel disaggregation system where the disaggregation module deserializes untrusted input using pickle.loads() without authentication. SGLang is vulnerable to CVE-2026-3059 when the multimodal generation system is enabled and to CVE-2026-3060 when the encoder parallel disaggregation system is enabled; if either condition is met and an attacker knows the Transmission Control Protocol (TCP) port on which the ZMQ broker is listening and can send requests to the server, the attacker can exploit the vulnerability by sending a malicious pickle file to the broker, which will then deserialize it. CVE-2026-3989 is in replay_request_dump.py, which uses pickle.load() without validation; providing a malicious .pkl file to that script will execute the attacker’s code on the device. The advisory describes CVE-2026-3989 as having low applicability but high impact and notes it can be exploited if an attacker can provide a malicious pickle file or write to the crash dump directory, potentially through social engineering or by compromising a directory where crash dump information is automatically saved.

Impact: An attacker able to send crafted messages to the ZeroMQ interface may trigger unsafe pickle deserialization in SGLang when the specified features are enabled, potentially leading to remote code execution. An attacker who can supply a malicious pickle file in the context of a crash dump may also exploit CVE-2026-3989. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or Denial of Service (DoS). Deployments that expose the affected interface to untrusted networks are described as being at the highest risk of exploitation.

Solution/status: The advisory states users of SGLang should restrict access to the service interfaces and ensure they are not exposed to untrusted networks. It recommends implementing proper network segmentation and access controls to prevent unauthorized interaction with ZeroMQ endpoints. During coordinated disclosure no vendor statement was obtained; a proposed patch was submitted to the maintainers, but no response was received at the time of publication.

Advisory guidance: The advisory discourages use of Pickle due to inherent security risks, noting that pickle.loads() and pickle.load() can execute instructions contained in pickle files during deserialization. It advises avoiding implementing Pickle functions and recommends using safer, data-driven serialization formats such as JSON or XML or tools like msgpack instead of open-ended pickle-based deserialization.