Overview
CVE-2026-12191 is a high-severity insecure deserialization vulnerability in Comma AI Openpilot, an open-source autonomous driving research platform. The vulnerability exists in the modeld.py module, which uses Python’s pickle.load() and pickle.loads() to deserialize untrusted data without any validation or sanitization. A local attacker with access to the system can craft a malicious pickle payload to achieve arbitrary code execution in the context of the Openpilot process.
Affected Software
| Product | Version | Component |
|---|---|---|
| Comma AI Openpilot | 0.11 | modeld.py |
Vulnerability Details
The modeld.py module within Openpilot deserializes data using Python’s pickle.load() and pickle.loads() functions. Python’s pickle module is inherently unsafe when used on untrusted input, as it can execute arbitrary code during deserialization. The affected code path accepts pickle-serialized data without any integrity checks, cryptographic verification, or input sanitization.
CVSS v3.1 Score: 7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: High
- Availability: High
Impact
Successful exploitation allows a local attacker with low privileges to execute arbitrary code on the host system running Openpilot. Given that Openpilot is deployed on vehicles interfacing with critical driving systems (steering, acceleration, braking), code execution at this level poses significant safety risks. An attacker could potentially:
- Execute arbitrary commands on the Comma device
- Manipulate or intercept model inference data
- Persist malicious code within the Openpilot environment
- Escalate privileges within the vehicle’s connected systems
Mitigation
Users of Comma AI Openpilot 0.11 should take the following steps:
- Upgrade: Apply the latest Openpilot release where pickle deserialization has been replaced with a safe serialization format (e.g., JSON, MessagePack, or a sandboxed deserializer).
- Workaround: If immediate upgrade is not possible, restrict local access to the device and ensure only trusted processes can write data consumed by
modeld.py. - Code Fix: Replace
pickle.load()/pickle.loads()calls with a safe alternative such asjson.loads()ornumpy.load()withallow_pickle=False.
References
- NVD: CVE-2026-12191
- Comma AI Openpilot GitHub Repository
- Python Pickle Documentation (Security Warning)
Disclaimer: This advisory is provided for informational and defensive purposes only. Always test patches in a controlled environment before deployment.
