CVE-2026-53805

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Jun 17, 2026

Vendor unknown

Description

NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.

References

https://github.com/nv-tlabs/GEN3C/commit/db2ffe12ced12ddafcec5e0422ee46ce8520746b
https://github.com/nv-tlabs/GEN3C/pull/62
https://github.com/nv-tlabs/GEN3C/pull/63
https://www.vulncheck.com/advisories/nvidia-sil-gen3c-unauthenticated-rce-via-pickle-deserialization-in-inference-api