The vulnerability in ROCm's AI Tensor Engine (AITER) up to version 0.1.14 involves insecure deserialization of untrusted data via the MessageQueue.recv() function in shm_broadcast.py. Specifically, the ZMQ SUB socket accepts pickle payloads without authentication, HMAC, or format validation, allowing unauthenticated remote attackers to send crafted pickle data that triggers arbitrary code execution. Exploitation requires network access to the writer XPUB endpoint or the ability to supply a forged Handle with an attacker-controlled remote_subscribe_addr. This leads to simultaneous code execution on inference worker processes across remote reader workers. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No official remediation or patch has been documented as of the publication date.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on inference worker processes within the affected ROCm AITER environment. This compromises confidentiality, integrity, and availability of the system, potentially enabling full system compromise or disruption of AI inference workloads. The vulnerability affects all deployments using vulnerable versions without network-level protections or mitigations. No known exploits are reported in the wild yet.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict network access to the writer XPUB endpoint and prevent untrusted entities from connecting to the ZMQ SUB socket. Implement network segmentation and access controls to limit exposure. Monitor vendor channels for updates and apply patches promptly once released.