Search

Find a vulnerability

Search criteria

    96 vulnerabilities found for vllm by vllm-project

    CVE-2026-55574 (GCVE-0-2026-55574)

    Vulnerability from nvd – Published: 2026-07-06 20:05 – Updated: 2026-07-06 20:52
    VLAI
    Title
    vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
    Summary
    vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the string reaches the regex compiler with no guard, and in the outlines backend the validation step blocks structural issues such as lookarounds and backreferences but performs no complexity analysis, so a pattern with nested quantifiers passes all checks and causes exponential state-space expansion, allowing a single request containing an adversarial regex to hang an inference worker indefinitely and deny service. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55574",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:52:49.859777Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:52:57.336Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the string reaches the regex compiler with no guard, and in the outlines backend the validation step blocks structural issues such as lookarounds and backreferences but performs no complexity analysis, so a pattern with nested quantifiers passes all checks and causes exponential state-space expansion, allowing a single request containing an adversarial regex to hang an inference worker indefinitely and deny service. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T20:05:31.003Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-rwxx-mrjm-wc2m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-rwxx-mrjm-wc2m"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45118",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45118"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/2b3006076c5e9bc4cda9e03e3641388de3c5c286",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/2b3006076c5e9bc4cda9e03e3641388de3c5c286"
            }
          ],
          "source": {
            "advisory": "GHSA-rwxx-mrjm-wc2m",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55574",
        "datePublished": "2026-07-06T20:05:31.003Z",
        "dateReserved": "2026-06-16T23:11:20.214Z",
        "dateUpdated": "2026-07-06T20:52:57.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55514 (GCVE-0-2026-55514)

    Vulnerability from nvd – Published: 2026-07-06 20:07 – Updated: 2026-07-06 20:46
    VLAI
    Title
    vLLM denial of service via prompt embeds on M-RoPE models
    Summary
    vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.12.0, < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:45:29.132412Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:46:52.405Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.12.0, \u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T20:07:40.405Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-33cg-gxv8-3p8g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-33cg-gxv8-3p8g"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45252",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45252"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/470229c37efaf69c86e8bc97482b0b1ff7551c65",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/470229c37efaf69c86e8bc97482b0b1ff7551c65"
            },
            {
              "name": "https://github.com/vllm-project/vllm/releases/tag/v0.24.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/releases/tag/v0.24.0"
            }
          ],
          "source": {
            "advisory": "GHSA-33cg-gxv8-3p8g",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM denial of service via prompt embeds on M-RoPE models"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55514",
        "datePublished": "2026-07-06T20:07:40.405Z",
        "dateReserved": "2026-06-16T22:44:22.284Z",
        "dateUpdated": "2026-07-06T20:46:52.405Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54234 (GCVE-0-2026-54234)

    Vulnerability from nvd – Published: 2026-07-06 19:49 – Updated: 2026-07-07 14:13
    VLAI
    Title
    vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection
    Summary
    vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54234",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T14:12:43.565166Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T14:13:34.348Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8wr5-jm2h-8r4f"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter\u0027s input ids; that out-of-vocabulary value is later consumed by the model\u0027s embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1284",
                  "description": "CWE-1284: Improper Validation of Specified Quantity in Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:49:20.481Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8wr5-jm2h-8r4f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8wr5-jm2h-8r4f"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/44744",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/44744"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/8a5cf1ccd65e8ac7635c402c1ec0b08988bc26ca",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/8a5cf1ccd65e8ac7635c402c1ec0b08988bc26ca"
            }
          ],
          "source": {
            "advisory": "GHSA-8wr5-jm2h-8r4f",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54234",
        "datePublished": "2026-07-06T19:49:20.481Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-07-07T14:13:34.348Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55646 (GCVE-0-2026-55646)

    Vulnerability from nvd – Published: 2026-07-06 19:41 – Updated: 2026-07-06 19:49
    VLAI
    Title
    vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit
    Summary
    vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.22.0, < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55646",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T19:49:41.180992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T19:49:44.773Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v82g-2437-67m2"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.22.0, \u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:41:11.330Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v82g-2437-67m2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v82g-2437-67m2"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45510",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45510"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/b997071ec493765abbed990c65843ed05e4708a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/b997071ec493765abbed990c65843ed05e4708a8"
            }
          ],
          "source": {
            "advisory": "GHSA-v82g-2437-67m2",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55646",
        "datePublished": "2026-07-06T19:41:11.330Z",
        "dateReserved": "2026-06-16T23:52:12.058Z",
        "dateUpdated": "2026-07-06T19:49:44.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54236 (GCVE-0-2026-54236)

    Vulnerability from nvd – Published: 2026-06-22 22:09 – Updated: 2026-06-23 12:33
    VLAI
    Title
    vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54236",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:32:56.752434Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:33:28.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:09:15.034Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45119",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45119"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82"
            }
          ],
          "source": {
            "advisory": "GHSA-hgg8-fqqc-vfmw",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54236",
        "datePublished": "2026-06-22T22:09:15.034Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T12:33:28.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54235 (GCVE-0-2026-54235)

    Vulnerability from nvd – Published: 2026-06-22 21:59 – Updated: 2026-06-23 12:26
    VLAI
    Title
    vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that can crash the inference worker. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54235",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:25:28.448086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:26:01.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (\u003c, \u003e), which silently evaluate to False for NaN and for positive Infinity in Python\u0027s IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that can crash the inference worker. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:59:02.710Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7h4p-rffg-7823",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7h4p-rffg-7823"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45116",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45116"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/d598d239737cfa37bcfcb98886ec3f3557fc7198",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/d598d239737cfa37bcfcb98886ec3f3557fc7198"
            }
          ],
          "source": {
            "advisory": "GHSA-7h4p-rffg-7823",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54235",
        "datePublished": "2026-06-22T21:59:02.710Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T12:26:01.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54233 (GCVE-0-2026-54233)

    Vulnerability from nvd – Published: 2026-06-22 22:10 – Updated: 2026-06-23 12:15
    VLAI
    Title
    vLLM: OOM Denial of Service via Audio Decompression Bomb
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    References
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:15:37.427990Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:15:43.607Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM\u0027s /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:10:45.689Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6pr9-rp53-2pmc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6pr9-rp53-2pmc"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/44970",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/44970"
            }
          ],
          "source": {
            "advisory": "GHSA-6pr9-rp53-2pmc",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: OOM Denial of Service via Audio Decompression Bomb"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54233",
        "datePublished": "2026-06-22T22:10:45.689Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T12:15:43.607Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54232 (GCVE-0-2026-54232)

    Vulnerability from nvd – Published: 2026-06-22 22:16 – Updated: 2026-06-23 14:30
    VLAI
    Title
    vLLM: Dependency Confusion Vulnerability in vLLM Dockerfile
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.22.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54232",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:29:54.064861Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:30:04.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY=\"unsafe-best-match\" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:16:43.101Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2"
            }
          ],
          "source": {
            "advisory": "GHSA-jrf6-vqxq-pjv2",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM:  Dependency Confusion Vulnerability in vLLM Dockerfile"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54232",
        "datePublished": "2026-06-22T22:16:43.101Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T14:30:04.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53923 (GCVE-0-2026-53923)

    Vulnerability from nvd – Published: 2026-06-22 21:55 – Updated: 2026-06-23 15:05
    VLAI
    Title
    vLLM GGUF Kernels: int64_t to int truncation of tensor dimensions causes GPU buffer overflow
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The output tensor is allocated at full size via torch::empty (uninitialized memory), but the dequantize CUDA kernel processes only a truncated number of elements. The unfilled portion of the output tensor retains whatever was previously in GPU memory. In multi-tenant inference deployments, this residual GPU memory may contain tensor data from other users' inference requests, constituting information disclosure. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-681 - Incorrect Conversion between Numeric Types
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.5.5, < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53923",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T15:04:15.555317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:05:21.711Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.5, \u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM\u0027s GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The output tensor is allocated at full size via torch::empty (uninitialized memory), but the dequantize CUDA kernel processes only a truncated number of elements. The unfilled portion of the output tensor retains whatever was previously in GPU memory. In multi-tenant inference deployments, this residual GPU memory may contain tensor data from other users\u0027 inference requests, constituting information disclosure. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-681",
                  "description": "CWE-681: Incorrect Conversion between Numeric Types",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:55:42.001Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-5jv2-g5wq-cmr4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-5jv2-g5wq-cmr4"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/44971",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/44971"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/f219788f91952827132fa4fdf916427cd20d225e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/f219788f91952827132fa4fdf916427cd20d225e"
            }
          ],
          "source": {
            "advisory": "GHSA-5jv2-g5wq-cmr4",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM GGUF Kernels: int64_t to int truncation of tensor dimensions causes GPU buffer overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53923",
        "datePublished": "2026-06-22T21:55:42.001Z",
        "dateReserved": "2026-06-11T15:46:12.316Z",
        "dateUpdated": "2026-06-23T15:05:21.711Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48746 (GCVE-0-2026-48746)

    Vulnerability from nvd – Published: 2026-06-22 21:57 – Updated: 2026-07-08 12:05
    VLAI
    Title
    vLLM: OpenAI auth bypass
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    • CWE-501 - Trust Boundary Violation
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48746",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:01:22.798843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:41:55.657Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:exploit_intelligence:0"
                ],
                "defaultStatus": "affected",
                "product": "Exploit Intelligence",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T21:57:28.997Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). This vulnerability, residing in ASGI web servers and Starlette\u0027s trust in them, allows an attacker to bypass the OpenAI API Authentication Middleware. This bypass enables unauthorized access to the API without requiring the configured VLLM_API_KEY or --api-key, leading to critical unauthorized operations."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-501",
                    "description": "Trust Boundary Violation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:05:51.021Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-48746"
              },
              {
                "name": "RHBZ#2491581",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491581"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48746.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36005"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36006"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30089"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30088"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:36005: Red Hat AI Inference Server 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36006: Red Hat AI Inference Server 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T23:00:57.824Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T21:57:28.997Z",
                "value": "Made public."
              }
            ],
            "title": "vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access",
            "workarounds": [
              {
                "lang": "en",
                "value": "Restrict network access to the vLLM API endpoint to only trusted clients and internal networks. Implement firewall rules or network policies to limit inbound connections to the vLLM service, thereby reducing the attack surface. This operational control helps prevent unauthorized external access to the vulnerable API."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.3.0, \u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette\u0027s trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:57:28.997Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/43426",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/43426"
            },
            {
              "name": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette"
            }
          ],
          "source": {
            "advisory": "GHSA-94f4-hr76-p5j6",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: OpenAI auth bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48746",
        "datePublished": "2026-06-22T21:57:28.997Z",
        "dateReserved": "2026-05-22T19:10:35.747Z",
        "dateUpdated": "2026-07-08T12:05:51.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47155 (GCVE-0-2026-47155)

    Vulnerability from nvd – Published: 2026-06-22 22:20 – Updated: 2026-06-23 12:35
    VLAI
    Title
    vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.22.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47155",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:34:39.566846Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:35:39.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM\u0027s revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:20:10.793Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/42616",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/42616"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6"
            },
            {
              "name": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac"
            }
          ],
          "source": {
            "advisory": "GHSA-3ww4-5jv9-j5gm",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47155",
        "datePublished": "2026-06-22T22:20:10.793Z",
        "dateReserved": "2026-05-18T21:25:34.496Z",
        "dateUpdated": "2026-06-23T12:35:39.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41523 (GCVE-0-2026-41523)

    Vulnerability from nvd – Published: 2026-06-22 22:18 – Updated: 2026-07-07 12:05
    VLAI
    Title
    vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-617 - Reachable Assertion
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41523",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:23:15.308986Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:23:42.580Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T22:18:14.494Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). An unauthenticated attacker can exploit an assert-based security check during activation function loading. By publishing a malicious HuggingFace model, an attacker can achieve arbitrary code execution on the server when vLLM runs in Python optimized mode."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-617",
                    "description": "Reachable Assertion",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T12:05:05.273Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41523"
              },
              {
                "name": "RHBZ#2491582",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491582"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41523.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36005"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36006"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:36005: Red Hat AI Inference Server 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36006: Red Hat AI Inference Server 3.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T23:01:00.799Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T22:18:14.494Z",
                "value": "Made public."
              }
            ],
            "title": "vllm: vLLM: Arbitrary code execution via malicious HuggingFace model",
            "workarounds": [
              {
                "lang": "en",
                "value": "Avoid running vLLM with python -O or PYTHONOPTIMIZE=1 until updated packages are available. Only load models from trusted sources. Restrict who can deploy or update models on inference endpoints. Apply network access controls and authentication in front of vLLM APIs."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM\u0027s activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:18:14.494Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-q8gq-377p-jq3r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-q8gq-377p-jq3r"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/b3c7ffcab82c2439726f8cb213800f6f38c023d3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/b3c7ffcab82c2439726f8cb213800f6f38c023d3"
            },
            {
              "name": "https://huntr.com/bounties/dcb05b04-e625-41e7-adbc-bbae0cc2d64c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://huntr.com/bounties/dcb05b04-e625-41e7-adbc-bbae0cc2d64c"
            }
          ],
          "source": {
            "advisory": "GHSA-q8gq-377p-jq3r",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41523",
        "datePublished": "2026-06-22T22:18:14.494Z",
        "dateReserved": "2026-04-20T18:18:50.682Z",
        "dateUpdated": "2026-07-07T12:05:05.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12491 (GCVE-0-2026-12491)

    Vulnerability from nvd – Published: 2026-06-17 10:07 – Updated: 2026-07-07 07:44
    VLAI
    Title
    Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations
    Summary
    A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-115 - Misinterpretation of Input
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-12491 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2489786 issue-trackingx_refsource_REDHAT
    Impacted products
    Date Public
    2026-06-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12491",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T14:47:47.319727Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T14:47:57.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/vllm-project/vllm",
              "defaultStatus": "unaffected",
              "packageName": "vllm",
              "product": "vLLM",
              "vendor": "vllm-project",
              "versions": [
                {
                  "lessThan": "0.24.0",
                  "status": "affected",
                  "version": "0.11.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-cpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-cuda-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-neuron-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-rocm-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-spyre-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-tpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-cpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-cuda-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-gaudi-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-neuron-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-rocm-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-spyre-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-tpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-aws-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-azure-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-azure-rocm-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-gaudi-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-gcp-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-rocm-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-agent-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-controller-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-router-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-llm-d-kv-cache-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-vllm-cuda-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-vllm-gaudi-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-vllm-rocm-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2026-06-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T07:44:29.614Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-12491"
            },
            {
              "name": "RHBZ#2489786",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489786"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-17T07:56:27.368Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-10T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Vllm: vllm: image exif rotation \u0026 png trns transparency not normalized, causing mismatch between model input and expectations",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-115: Misinterpretation of Input"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-12491",
        "datePublished": "2026-06-17T10:07:28.756Z",
        "dateReserved": "2026-06-17T07:24:01.437Z",
        "dateUpdated": "2026-07-07T07:44:29.614Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9540 (GCVE-0-2026-9540)

    Vulnerability from nvd – Published: 2026-05-26 10:30 – Updated: 2026-05-26 13:47
    VLAI
    Title
    vllm-project vllm OpenAI-compatible Serving Path denial of service
    Summary
    A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: 0.19.0
        cpe:2.3:a:vllm-project:vllm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zyz3366 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9540",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:47:49.051201Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:47:57.215Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:vllm-project:vllm:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "OpenAI-compatible Serving Path"
              ],
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.19.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Zyz3366 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-404",
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T10:30:12.648Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-365601 | vllm-project vllm OpenAI-compatible Serving Path denial of service",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/365601"
            },
            {
              "name": "VDB-365601 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/365601/cti"
            },
            {
              "name": "Submit #814645 | vllm-project vllm 0.19.0 Denial of Service",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/814645"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/vllm-project/vllm/issues/37343"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/37594"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://ingero.io/debugging-vllm-latency-minimax-ollama-mcp/"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/vllm-project/vllm/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-26T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-26T07:50:13.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "vllm-project vllm OpenAI-compatible Serving Path denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-9540",
        "datePublished": "2026-05-26T10:30:12.648Z",
        "dateReserved": "2026-05-26T05:44:55.913Z",
        "dateUpdated": "2026-05-26T13:47:57.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44223 (GCVE-0-2026-44223)

    Vulnerability from nvd – Published: 2026-05-12 19:58 – Updated: 2026-06-22 21:49
    VLAI
    Title
    vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From 0.18.0 to before 0.20.0, the extract_hidden_states speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (repetition_penalty, frequency_penalty, or presence_penalty). A single request with a penalty parameter (e.g., "repetition_penalty": 1.1) is sufficient to crash the server. This vulnerability is fixed in 0.20.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-131 - Incorrect Calculation of Buffer Size
    • CWE-704 - Incorrect Type Conversion or Cast
    Assigner
    References
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.18.0, < 0.20.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44223",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T14:44:05.012494Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T14:46:25.695Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-83vm-p52w-f9pw"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/pull/38610"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.18.0, \u003c 0.20.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.18.0 to before 0.20.0, the extract_hidden_states speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (repetition_penalty, frequency_penalty, or presence_penalty). A single request with a penalty parameter (e.g., \"repetition_penalty\": 1.1) is sufficient to crash the server. This vulnerability is fixed in 0.20.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-131",
                  "description": "CWE-131: Incorrect Calculation of Buffer Size",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-704",
                  "description": "CWE-704: Incorrect Type Conversion or Cast",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:49:24.277Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-83vm-p52w-f9pw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-83vm-p52w-f9pw"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/38610",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/38610"
            }
          ],
          "source": {
            "advisory": "GHSA-83vm-p52w-f9pw",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44223",
        "datePublished": "2026-05-12T19:58:40.862Z",
        "dateReserved": "2026-05-05T15:42:40.518Z",
        "dateUpdated": "2026-06-22T21:49:24.277Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44222 (GCVE-0-2026-44222)

    Vulnerability from nvd – Published: 2026-05-12 19:57 – Updated: 2026-05-13 12:24
    VLAI
    Title
    vLLM: Remote DoS via Special-Token Placeholders
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on image_grid_thw/video_grid_thw are affected. This vulnerability is fixed in 0.20.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    References
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.6.1, < 0.20.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T12:24:39.409933Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T12:24:53.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.6.1, \u003c 0.20.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM\u2019s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on image_grid_thw/video_grid_thw are affected. This vulnerability is fixed in 0.20.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T19:57:25.336Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f"
            },
            {
              "name": "https://github.com/vllm-project/vllm/issues/32656",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/issues/32656"
            }
          ],
          "source": {
            "advisory": "GHSA-hpv8-x276-m59f",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Remote DoS via Special-Token Placeholders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44222",
        "datePublished": "2026-05-12T19:57:25.336Z",
        "dateReserved": "2026-05-05T15:42:40.518Z",
        "dateUpdated": "2026-05-13T12:24:53.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55514 (GCVE-0-2026-55514)

    Vulnerability from cvelistv5 – Published: 2026-07-06 20:07 – Updated: 2026-07-06 20:46
    VLAI
    Title
    vLLM denial of service via prompt embeds on M-RoPE models
    Summary
    vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.12.0, < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:45:29.132412Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:46:52.405Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.12.0, \u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T20:07:40.405Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-33cg-gxv8-3p8g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-33cg-gxv8-3p8g"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45252",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45252"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/470229c37efaf69c86e8bc97482b0b1ff7551c65",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/470229c37efaf69c86e8bc97482b0b1ff7551c65"
            },
            {
              "name": "https://github.com/vllm-project/vllm/releases/tag/v0.24.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/releases/tag/v0.24.0"
            }
          ],
          "source": {
            "advisory": "GHSA-33cg-gxv8-3p8g",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM denial of service via prompt embeds on M-RoPE models"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55514",
        "datePublished": "2026-07-06T20:07:40.405Z",
        "dateReserved": "2026-06-16T22:44:22.284Z",
        "dateUpdated": "2026-07-06T20:46:52.405Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55574 (GCVE-0-2026-55574)

    Vulnerability from cvelistv5 – Published: 2026-07-06 20:05 – Updated: 2026-07-06 20:52
    VLAI
    Title
    vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
    Summary
    vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the string reaches the regex compiler with no guard, and in the outlines backend the validation step blocks structural issues such as lookarounds and backreferences but performs no complexity analysis, so a pattern with nested quantifiers passes all checks and causes exponential state-space expansion, allowing a single request containing an adversarial regex to hang an inference worker indefinitely and deny service. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55574",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:52:49.859777Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:52:57.336Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the string reaches the regex compiler with no guard, and in the outlines backend the validation step blocks structural issues such as lookarounds and backreferences but performs no complexity analysis, so a pattern with nested quantifiers passes all checks and causes exponential state-space expansion, allowing a single request containing an adversarial regex to hang an inference worker indefinitely and deny service. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T20:05:31.003Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-rwxx-mrjm-wc2m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-rwxx-mrjm-wc2m"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45118",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45118"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/2b3006076c5e9bc4cda9e03e3641388de3c5c286",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/2b3006076c5e9bc4cda9e03e3641388de3c5c286"
            }
          ],
          "source": {
            "advisory": "GHSA-rwxx-mrjm-wc2m",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55574",
        "datePublished": "2026-07-06T20:05:31.003Z",
        "dateReserved": "2026-06-16T23:11:20.214Z",
        "dateUpdated": "2026-07-06T20:52:57.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54234 (GCVE-0-2026-54234)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:49 – Updated: 2026-07-07 14:13
    VLAI
    Title
    vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection
    Summary
    vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54234",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T14:12:43.565166Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T14:13:34.348Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8wr5-jm2h-8r4f"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter\u0027s input ids; that out-of-vocabulary value is later consumed by the model\u0027s embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1284",
                  "description": "CWE-1284: Improper Validation of Specified Quantity in Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:49:20.481Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8wr5-jm2h-8r4f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8wr5-jm2h-8r4f"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/44744",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/44744"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/8a5cf1ccd65e8ac7635c402c1ec0b08988bc26ca",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/8a5cf1ccd65e8ac7635c402c1ec0b08988bc26ca"
            }
          ],
          "source": {
            "advisory": "GHSA-8wr5-jm2h-8r4f",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54234",
        "datePublished": "2026-07-06T19:49:20.481Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-07-07T14:13:34.348Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55646 (GCVE-0-2026-55646)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:41 – Updated: 2026-07-06 19:49
    VLAI
    Title
    vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit
    Summary
    vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.22.0, < 0.24.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55646",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T19:49:41.180992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T19:49:44.773Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v82g-2437-67m2"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.22.0, \u003c 0.24.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:41:11.330Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v82g-2437-67m2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v82g-2437-67m2"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45510",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45510"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/b997071ec493765abbed990c65843ed05e4708a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/b997071ec493765abbed990c65843ed05e4708a8"
            }
          ],
          "source": {
            "advisory": "GHSA-v82g-2437-67m2",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55646",
        "datePublished": "2026-07-06T19:41:11.330Z",
        "dateReserved": "2026-06-16T23:52:12.058Z",
        "dateUpdated": "2026-07-06T19:49:44.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47155 (GCVE-0-2026-47155)

    Vulnerability from cvelistv5 – Published: 2026-06-22 22:20 – Updated: 2026-06-23 12:35
    VLAI
    Title
    vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.22.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47155",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:34:39.566846Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:35:39.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM\u0027s revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:20:10.793Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/42616",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/42616"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6"
            },
            {
              "name": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac"
            }
          ],
          "source": {
            "advisory": "GHSA-3ww4-5jv9-j5gm",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47155",
        "datePublished": "2026-06-22T22:20:10.793Z",
        "dateReserved": "2026-05-18T21:25:34.496Z",
        "dateUpdated": "2026-06-23T12:35:39.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41523 (GCVE-0-2026-41523)

    Vulnerability from cvelistv5 – Published: 2026-06-22 22:18 – Updated: 2026-07-07 12:05
    VLAI
    Title
    vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-617 - Reachable Assertion
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41523",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:23:15.308986Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:23:42.580Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T22:18:14.494Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). An unauthenticated attacker can exploit an assert-based security check during activation function loading. By publishing a malicious HuggingFace model, an attacker can achieve arbitrary code execution on the server when vLLM runs in Python optimized mode."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-617",
                    "description": "Reachable Assertion",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T12:05:05.273Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41523"
              },
              {
                "name": "RHBZ#2491582",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491582"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41523.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36005"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36006"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:36005: Red Hat AI Inference Server 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36006: Red Hat AI Inference Server 3.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T23:01:00.799Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T22:18:14.494Z",
                "value": "Made public."
              }
            ],
            "title": "vllm: vLLM: Arbitrary code execution via malicious HuggingFace model",
            "workarounds": [
              {
                "lang": "en",
                "value": "Avoid running vLLM with python -O or PYTHONOPTIMIZE=1 until updated packages are available. Only load models from trusted sources. Restrict who can deploy or update models on inference endpoints. Apply network access controls and authentication in front of vLLM APIs."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM\u0027s activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:18:14.494Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-q8gq-377p-jq3r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-q8gq-377p-jq3r"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/b3c7ffcab82c2439726f8cb213800f6f38c023d3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/b3c7ffcab82c2439726f8cb213800f6f38c023d3"
            },
            {
              "name": "https://huntr.com/bounties/dcb05b04-e625-41e7-adbc-bbae0cc2d64c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://huntr.com/bounties/dcb05b04-e625-41e7-adbc-bbae0cc2d64c"
            }
          ],
          "source": {
            "advisory": "GHSA-q8gq-377p-jq3r",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41523",
        "datePublished": "2026-06-22T22:18:14.494Z",
        "dateReserved": "2026-04-20T18:18:50.682Z",
        "dateUpdated": "2026-07-07T12:05:05.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54232 (GCVE-0-2026-54232)

    Vulnerability from cvelistv5 – Published: 2026-06-22 22:16 – Updated: 2026-06-23 14:30
    VLAI
    Title
    vLLM: Dependency Confusion Vulnerability in vLLM Dockerfile
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.22.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54232",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:29:54.064861Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:30:04.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY=\"unsafe-best-match\" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:16:43.101Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2"
            }
          ],
          "source": {
            "advisory": "GHSA-jrf6-vqxq-pjv2",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM:  Dependency Confusion Vulnerability in vLLM Dockerfile"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54232",
        "datePublished": "2026-06-22T22:16:43.101Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T14:30:04.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54233 (GCVE-0-2026-54233)

    Vulnerability from cvelistv5 – Published: 2026-06-22 22:10 – Updated: 2026-06-23 12:15
    VLAI
    Title
    vLLM: OOM Denial of Service via Audio Decompression Bomb
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    References
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:15:37.427990Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:15:43.607Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM\u0027s /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:10:45.689Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6pr9-rp53-2pmc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6pr9-rp53-2pmc"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/44970",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/44970"
            }
          ],
          "source": {
            "advisory": "GHSA-6pr9-rp53-2pmc",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: OOM Denial of Service via Audio Decompression Bomb"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54233",
        "datePublished": "2026-06-22T22:10:45.689Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T12:15:43.607Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54236 (GCVE-0-2026-54236)

    Vulnerability from cvelistv5 – Published: 2026-06-22 22:09 – Updated: 2026-06-23 12:33
    VLAI
    Title
    vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54236",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:32:56.752434Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:33:28.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T22:09:15.034Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45119",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45119"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82"
            }
          ],
          "source": {
            "advisory": "GHSA-hgg8-fqqc-vfmw",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54236",
        "datePublished": "2026-06-22T22:09:15.034Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T12:33:28.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54235 (GCVE-0-2026-54235)

    Vulnerability from cvelistv5 – Published: 2026-06-22 21:59 – Updated: 2026-06-23 12:26
    VLAI
    Title
    vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that can crash the inference worker. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54235",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T12:25:28.448086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T12:26:01.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (\u003c, \u003e), which silently evaluate to False for NaN and for positive Infinity in Python\u0027s IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that can crash the inference worker. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:59:02.710Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7h4p-rffg-7823",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7h4p-rffg-7823"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/45116",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/45116"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/d598d239737cfa37bcfcb98886ec3f3557fc7198",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/d598d239737cfa37bcfcb98886ec3f3557fc7198"
            }
          ],
          "source": {
            "advisory": "GHSA-7h4p-rffg-7823",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54235",
        "datePublished": "2026-06-22T21:59:02.710Z",
        "dateReserved": "2026-06-12T16:25:43.084Z",
        "dateUpdated": "2026-06-23T12:26:01.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48746 (GCVE-0-2026-48746)

    Vulnerability from cvelistv5 – Published: 2026-06-22 21:57 – Updated: 2026-07-08 12:05
    VLAI
    Title
    vLLM: OpenAI auth bypass
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    • CWE-501 - Trust Boundary Violation
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48746",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:01:22.798843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:41:55.657Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:exploit_intelligence:0"
                ],
                "defaultStatus": "affected",
                "product": "Exploit Intelligence",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "affected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T21:57:28.997Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). This vulnerability, residing in ASGI web servers and Starlette\u0027s trust in them, allows an attacker to bypass the OpenAI API Authentication Middleware. This bypass enables unauthorized access to the API without requiring the configured VLLM_API_KEY or --api-key, leading to critical unauthorized operations."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-501",
                    "description": "Trust Boundary Violation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:05:51.021Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-48746"
              },
              {
                "name": "RHBZ#2491581",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491581"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48746.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36005"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36006"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30089"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30088"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:36005: Red Hat AI Inference Server 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36006: Red Hat AI Inference Server 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T23:00:57.824Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T21:57:28.997Z",
                "value": "Made public."
              }
            ],
            "title": "vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access",
            "workarounds": [
              {
                "lang": "en",
                "value": "Restrict network access to the vLLM API endpoint to only trusted clients and internal networks. Implement firewall rules or network policies to limit inbound connections to the vLLM service, thereby reducing the attack surface. This operational control helps prevent unauthorized external access to the vulnerable API."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.3.0, \u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette\u0027s trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:57:28.997Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/43426",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/43426"
            },
            {
              "name": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette"
            }
          ],
          "source": {
            "advisory": "GHSA-94f4-hr76-p5j6",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: OpenAI auth bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48746",
        "datePublished": "2026-06-22T21:57:28.997Z",
        "dateReserved": "2026-05-22T19:10:35.747Z",
        "dateUpdated": "2026-07-08T12:05:51.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53923 (GCVE-0-2026-53923)

    Vulnerability from cvelistv5 – Published: 2026-06-22 21:55 – Updated: 2026-06-23 15:05
    VLAI
    Title
    vLLM GGUF Kernels: int64_t to int truncation of tensor dimensions causes GPU buffer overflow
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The output tensor is allocated at full size via torch::empty (uninitialized memory), but the dequantize CUDA kernel processes only a truncated number of elements. The unfilled portion of the output tensor retains whatever was previously in GPU memory. In multi-tenant inference deployments, this residual GPU memory may contain tensor data from other users' inference requests, constituting information disclosure. This vulnerability is fixed in 0.23.1rc0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-681 - Incorrect Conversion between Numeric Types
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.5.5, < 0.23.1rc0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53923",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T15:04:15.555317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:05:21.711Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.5, \u003c 0.23.1rc0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM\u0027s GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The output tensor is allocated at full size via torch::empty (uninitialized memory), but the dequantize CUDA kernel processes only a truncated number of elements. The unfilled portion of the output tensor retains whatever was previously in GPU memory. In multi-tenant inference deployments, this residual GPU memory may contain tensor data from other users\u0027 inference requests, constituting information disclosure. This vulnerability is fixed in 0.23.1rc0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-681",
                  "description": "CWE-681: Incorrect Conversion between Numeric Types",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T21:55:42.001Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-5jv2-g5wq-cmr4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-5jv2-g5wq-cmr4"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/44971",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/44971"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/f219788f91952827132fa4fdf916427cd20d225e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/f219788f91952827132fa4fdf916427cd20d225e"
            }
          ],
          "source": {
            "advisory": "GHSA-5jv2-g5wq-cmr4",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM GGUF Kernels: int64_t to int truncation of tensor dimensions causes GPU buffer overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53923",
        "datePublished": "2026-06-22T21:55:42.001Z",
        "dateReserved": "2026-06-11T15:46:12.316Z",
        "dateUpdated": "2026-06-23T15:05:21.711Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12491 (GCVE-0-2026-12491)

    Vulnerability from cvelistv5 – Published: 2026-06-17 10:07 – Updated: 2026-07-07 07:44
    VLAI
    Title
    Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations
    Summary
    A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-115 - Misinterpretation of Input
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-12491 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2489786 issue-trackingx_refsource_REDHAT
    Impacted products
    Date Public
    2026-06-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12491",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T14:47:47.319727Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T14:47:57.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/vllm-project/vllm",
              "defaultStatus": "unaffected",
              "packageName": "vllm",
              "product": "vLLM",
              "vendor": "vllm-project",
              "versions": [
                {
                  "lessThan": "0.24.0",
                  "status": "affected",
                  "version": "0.11.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-cpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-cuda-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-neuron-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-rocm-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-spyre-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaiis/vllm-tpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-cpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-cuda-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-gaudi-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-neuron-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-rocm-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-spyre-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:ai_inference_server:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhaii/vllm-tpu-rhel9",
              "product": "Red Hat AI Inference Server",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-aws-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-azure-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-azure-rocm-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-gaudi-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-gcp-cuda-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:enterprise_linux_ai:3"
              ],
              "defaultStatus": "affected",
              "packageName": "rhelai3/bootc-rocm-rhel9",
              "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-agent-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-controller-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-router-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-llm-d-kv-cache-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-vllm-cuda-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-vllm-gaudi-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:openshift_ai"
              ],
              "defaultStatus": "affected",
              "packageName": "rhoai/odh-vllm-rocm-rhel9",
              "product": "Red Hat OpenShift AI (RHOAI)",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2026-06-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T07:44:29.614Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-12491"
            },
            {
              "name": "RHBZ#2489786",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489786"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-17T07:56:27.368Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-10T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Vllm: vllm: image exif rotation \u0026 png trns transparency not normalized, causing mismatch between model input and expectations",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-115: Misinterpretation of Input"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-12491",
        "datePublished": "2026-06-17T10:07:28.756Z",
        "dateReserved": "2026-06-17T07:24:01.437Z",
        "dateUpdated": "2026-07-07T07:44:29.614Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9540 (GCVE-0-2026-9540)

    Vulnerability from cvelistv5 – Published: 2026-05-26 10:30 – Updated: 2026-05-26 13:47
    VLAI
    Title
    vllm-project vllm OpenAI-compatible Serving Path denial of service
    Summary
    A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: 0.19.0
        cpe:2.3:a:vllm-project:vllm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zyz3366 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9540",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T13:47:49.051201Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T13:47:57.215Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:vllm-project:vllm:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "OpenAI-compatible Serving Path"
              ],
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.19.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Zyz3366 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-404",
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T10:30:12.648Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-365601 | vllm-project vllm OpenAI-compatible Serving Path denial of service",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/365601"
            },
            {
              "name": "VDB-365601 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/365601/cti"
            },
            {
              "name": "Submit #814645 | vllm-project vllm 0.19.0 Denial of Service",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/814645"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/vllm-project/vllm/issues/37343"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/37594"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://ingero.io/debugging-vllm-latency-minimax-ollama-mcp/"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/vllm-project/vllm/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-26T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-26T07:50:13.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "vllm-project vllm OpenAI-compatible Serving Path denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-9540",
        "datePublished": "2026-05-26T10:30:12.648Z",
        "dateReserved": "2026-05-26T05:44:55.913Z",
        "dateUpdated": "2026-05-26T13:47:57.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }