<!-- curated:true -->
# [HIGH] SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

**Source:** The Hacker News
**Published:** 2026-04-20
**Article:** https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html
**Curated:** Analyst-reviewed 2026-04-28

## Threat profile

**SGLang** is a high-performance LLM inference framework, used in production AI/ML serving stacks. **CVE-2026-5760 (CVSS 9.8 — critical)** allows **unauthenticated remote code execution** via a maliciously-crafted **GGUF model file**. GGUF is the quantised-model file format popularised by `llama.cpp` and shared widely on Hugging Face, Ollama, and similar registries.

The attack vector is "user loads a model from a registry → SGLang parses it → arbitrary code executes as the SGLang server". Anywhere SGLang is used to dynamically load community-supplied or user-uploaded models is exposed. This is a **supply-chain-style flaw** targeting AI infrastructure.

## Indicators of Compromise

- `CVE-2026-5760` — patch tracker

The article doesn't list specific malicious GGUF hashes (those are crafted per-attack). What's hunt-worthy is:
- SGLang processes spawning unexpected child processes
- Outbound network connections from SGLang server hosts
- Newly-loaded GGUF files from non-trusted paths

## MITRE ATT&CK (analyst-validated)

- **T1190** — Exploit Public-Facing Application (when SGLang is exposed)
- **T1195.002** — Compromise Software Supply Chain (the malicious-model vector)
- **T1059** — Command and Scripting Interpreter (the RCE primitive)
- **T1071.001** — Web Protocols (likely C2 method post-exploit, given AI infra is HTTP-heavy)

## Recommended SOC actions (priority-ordered)

1. **Inventory SGLang installations.** Talk to your AI/ML team. Any production SGLang serving needs to be on the patched version *now*.
2. **Restrict model sources.** Only load GGUF models from your internal registry / approved Hugging Face mirrors with hash pinning. No user-supplied models.
3. **Network-isolate AI inference servers.** They should not have direct outbound Internet access. Egress filtering catches post-RCE C2.
4. **Hunt** — SGLang Python processes spawning unusual children (cmd, bash, curl, wget) is the post-exploit signature.

## Splunk SPL — Python serving processes spawning shells

```spl
| tstats `summariesonly` count min(_time) AS firstTime max(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where Processes.parent_process_name IN ("python.exe","python3","python","sglang","uvicorn")
      AND Processes.process_name IN ("cmd.exe","bash","sh","powershell.exe","curl","curl.exe","wget","wget.exe","nc","ncat")
    by Processes.dest, Processes.user, Processes.parent_process_name,
       Processes.process_name, Processes.process
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
```

## Splunk SPL — vuln exposure

```spl
| tstats `summariesonly` count
    from datamodel=Vulnerabilities
    where Vulnerabilities.signature="CVE-2026-5760"
    by Vulnerabilities.dest, Vulnerabilities.severity, Vulnerabilities.cve
| `drop_dm_object_name(Vulnerabilities)`
| sort - severity
```

## Defender KQL — Python AI-server child processes

```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("python.exe","python3","python","uvicorn","sglang")
| where FileName in~ ("cmd.exe","bash","sh","powershell.exe","curl","wget","nc","ncat","busybox")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc
```

## Defender KQL — outbound from AI inference hosts

```kql
let aiHosts = dynamic(["sglang-prod-01","sglang-prod-02"]);  // <- name your AI inference hosts
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where DeviceName in (aiHosts)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName in~ ("python.exe","python3")
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## Defender KQL — vuln exposure

```kql
DeviceTvmSoftwareVulnerabilities
| where CveId =~ "CVE-2026-5760"
| join kind=inner DeviceInfo on DeviceId
| project DeviceName, OSPlatform, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate
```

## Why this matters for your SOC

AI/ML infrastructure is the new attack surface most security teams aren't monitoring yet. CVSS 9.8 + unauth + RCE in a popular inference framework + a delivery vector (malicious GGUF) that bypasses traditional file-format detection = attackers will weaponise this fast. **If your org runs LLM inference internally and your security team hasn't talked to the AI/ML team about it, that's the conversation to have today.**