PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55646 vllm-project CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:37.663Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects vLLM versions from 0.22.0 to 0.23.0, allowing API callers to submit oversized multipart uploads, potentially causing memory pressure or process termination. The issue is fixed in version 0.24.0, and users should be aware of this vulnerability and take steps to mitigate it.

Vendor
vllm-project
Product
vllm
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of vLLM, especially those deploying versions between 0.22.0 and 0.23.0, should be aware of this vulnerability and take steps to mitigate it. This includes administrators, security teams, and developers who work with vLLM or use it in their applications. They should review their deployments, assess the risk, and apply the necessary patches or mitigations.

Technical summary

The vLLM inference and serving engine for large language models, in versions from 0.22.0 to 0.23.0, has a vulnerability in the /v1/audio/transcriptions and /v1/audio/translations routes. An API caller can submit an oversized multipart upload, causing vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large. This can lead to memory pressure or process termination depending on deployment resource limits. The issue is fixed in version 0.24.0, and users should upgrade to this version or later.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to vLLM version 0.24.0 or later
  • Implement monitoring for API usage and memory allocation
  • Configure resource limits to prevent process termination
  • Review and adjust the VLLM_MAX_AUDIO_CLIP_FILESIZE_MB limit as necessary
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. The vendor has released a patch in version 0.24.0. Users should verify their deployment and apply the patch or mitigations as needed. The vulnerability allows API callers to submit oversized multipart uploads, potentially causing memory pressure or process termination. The issue is fixed in version 0.24.0.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:37.663Z and has not been modified since then.