Vllm CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM vllm CVE published 2026-06-20

CVE-2025-71379

CVE-2025-71379 is a medium-severity vulnerability affecting vLLM, a project with versions >= 0.6.3 and < 0.9.0 that contain multiple regular expression denial of service (ReDoS) vulnerabilities. These vulnerabilities are due to susceptible regex patterns in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint. An attacker can trigger severe CPU consumption and perf [truncated]

MEDIUM Vllm CVE published 2026-04-02

CVE-2026-34760

CVE-2026-34760 describes an audio-processing integrity issue in environments using vLLM with Librosa: mono downmixing defaults to numpy.mean, while ITU-R BS.775-4 calls for weighted downmixing. That mismatch can make audio interpreted by AI systems differ from what humans hear, creating inconsistent model inputs. The issue is assigned CVSS 5.9 (Medium) and is patched in vLLM 0.18.0.