SGLang RCE Flaw Turns Malicious GGUF Model Files Into Code Execution

A critical vulnerability tracked as CVE-2026-5760 has been disclosed in SGLang, a serving framework widely used to run large language models at scale. Rated 9.8 on the CVSS scale, the flaw allows attackers to achieve remote code execution on hosts that load a specially crafted GGUF model file, turning the model artifact itself into a delivery vehicle for arbitrary code.

The attack path exploits the trust boundary around model loading. Because GGUF files are frequently pulled from public hubs and community repositories, a poisoned weight file can traverse the supply chain and land directly inside inference servers, bypassing the perimeter controls that typically sit in front of application code. Once executed, the attacker inherits whatever privileges the inference process holds, which in GPU-backed deployments often means elevated access to accelerators, model weights, and connected data sources.

The disclosure reinforces a pattern now recurring across the AI stack: parsers and loaders for model formats are becoming a primary attack surface, and organizations treating model files as passive data rather than executable input are exposed. Operators running SGLang should patch immediately, pin model sources to verified hashes, and isolate inference workers from credentialed systems until the fix is rolled out.