PatchSiren

vllm-project CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH vllm-project CVE published 2026-07-06

CVE-2026-55574

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:57.347Z and has not been modified since then. The vLLM inference and serving engine for LLMs is vulnerable to a denial-of-service attack due to an issue with the structured_outputs.regex API parameter. Prior to version 0.24.0, the API parameter passes a user-supplied regular expression stri [truncated]

HIGH vllm-project CVE published 2026-07-06

CVE-2026-55514

A vulnerability in the vLLM library for LLM inference and serving, from version 0.12.0 to before 0.24.0, allows remote users to induce a crash via a /v1/completions request with a model using M-RoPE. This issue arises from a failure in the EngineCore assertion when a pure prompt embeds payload in the request. The vulnerability is fixed in version 0.24.0. This issue has a high impact on the security of the [truncated]

HIGH vllm-project CVE published 2026-07-06

CVE-2026-54234

A high-throughput and memory-efficient inference and serving engine for LLMs, vLLM, is vulnerable to a denial of service attack. Prior to version 0.24.0, a specific multi-request speculative decoding workload can cause the engine to crash, resulting in a service-wide denial of service for other clients until the worker is restarted. The vulnerability exists in the vLLM engine's handling of speculative dec [truncated]

MEDIUM vllm-project CVE published 2026-07-06

CVE-2026-55646

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:37.663Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects vLLM versions from 0.22.0 to 0.23.0, allowing API callers to submit oversized multipart uploads, potentially causing memory pressure or process termination. The issue is fixed in ve [truncated]

MEDIUM vllm-project CVE published 2026-06-22

CVE-2026-54236

CVE-2026-54236 is a vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The incomplete fix for CVE-2026-22778 allows an unauthenticated attacker to send malformed image bytes through the Anthropic Messages API image content parts, leaking the heap memory address verbatim in the error.message field of the response body. This issue was fixed in version 0.23.1rc0. The vul [truncated]

MEDIUM vllm-project CVE published 2026-06-22

CVE-2026-54235

CVE-2026-54235 is a vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The vulnerability allows for undefined behavior or CUDA errors that can crash the inference worker due to improper temperature validation. This issue was fixed in version 0.23.1rc0. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. The CVE was published on June 22, 202 [truncated]

MEDIUM vllm-project CVE published 2026-06-22

CVE-2026-53923

A vulnerability in vLLM, an inference and serving engine for large language models (LLMs), was discovered. The issue, tracked as CVE-2026-53923, affects versions from 0.5.5 until 0.23.1rc0. The vulnerability is caused by integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels, leading to partial tensor processing. The output tensor is allocated at full size, but the dequantize CUDA kerne [truncated]

MEDIUM vllm-project CVE published 2026-06-22

CVE-2026-47155

CVE-2026-47155 is a supply-chain integrity issue in vLLM, a large language model inference and serving engine. Prior to version 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. This inconsistency allows deployments that specify --revision or --code-revision to still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repos [truncated]

HIGH vllm-project CVE published 2026-06-22

CVE-2026-41523

CVE-2026-41523 is a high-severity vulnerability in vLLM, a large language model inference and serving engine. The vulnerability allows unauthenticated attackers to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model when vLLM runs in Python optimized mode. This issue was fixed in version 0.22.0. The vulnerability has a CVSS score of 7.5 and is considered high severit [truncated]

HIGH vllm-project CVE published 2026-06-11

CVE-2026-5497

CVE-2026-5497 is a HIGH severity vulnerability in vLLM, a library for large language models. Versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. This method processes `video/jpeg` data URLs by splitting the base64 data string on commas to extract individual JPEG frames without e [truncated]

HIGH vllm-project CVE published 2026-05-28

CVE-2026-4944

CVE-2026-4944 is a HIGH severity vulnerability (CVSS 8.8) in vllm-project/vllm version 0.14.1, published 2026-05-28. The issue involves hardcoded `trust_remote_code=True` parameters in two specific model implementation files: `vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`. This hardcoding bypasses the user's explicit `--trust-remote-code=False` command-line settin [truncated]

MEDIUM vllm-project CVE published 2026-05-26

CVE-2026-9540

A denial-of-service vulnerability exists in vLLM 0.19.0 affecting the OpenAI-compatible serving path. The issue allows remote attackers to trigger service disruption through unspecified manipulation of the serving component. A fix has been proposed via pull request but awaits maintainer acceptance. The vulnerability is classified as medium severity with a CVSS 4.0 score of 5.5, reflecting network accessib [truncated]

MEDIUM vllm-project CVE published 2026-04-06

CVE-2026-34756

CVE-2026-34756 is a Denial of Service vulnerability in the vLLM OpenAI-compatible API server. The vulnerability exists due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models. This allows an unauthenticated attacker to send a single HTTP request with an astronomically large n value, causing immediate Out-Of-Memory crashes by alloca [truncated]

HIGH vllm-project CVE published 2026-03-27

CVE-2026-27893

CVE-2026-27893 is a high-severity vulnerability in vLLM, a large language model inference and serving engine. The vulnerability allows for remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. This issue was introduced in version 0.10.1 and patched in version 0.18.0. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. Us [truncated]

HIGH vllm-project CVE published 2026-03-09

CVE-2026-25960

CVE-2026-25960 is a high-severity vulnerability in vLLM, a large language model inference and serving engine. The SSRF protection fix for CVE-2026-24779 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. This vulnerability exists in version 0.17.0. The Common Vulnerability Scoring System (CVSS) score for this [truncated]

CRITICAL vllm-project CVE published 2026-02-02

CVE-2026-22778

CVE-2026-22778 is a critical vulnerability in vLLM, a large language model inference and serving engine. The vulnerability allows for information disclosure and potential remote code execution. From version 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error, which is then returned to the client, leaking a heap address. This leak reduces ASLR from 4 bil [truncated]

HIGH vllm-project CVE published 2026-01-21

CVE-2026-22807

CVE-2026-22807 is a high-severity vulnerability in vLLM, an inference and serving engine for large language models. The vulnerability allows for arbitrary code execution on the vLLM host during model load, prior to any request handling and without requiring API access. This is possible because vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without properly gating on `trust_remo [truncated]