PatchSiren cyber security CVE debrief
CVE-2026-55646 vllm-project CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:37.663Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects vLLM versions from 0.22.0 to 0.23.0, allowing API callers to submit oversized multipart uploads, potentially causing memory pressure or process termination. The issue is fixed in version 0.24.0, and users should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- vllm-project
- Product
- vllm
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of vLLM, especially those deploying versions between 0.22.0 and 0.23.0, should be aware of this vulnerability and take steps to mitigate it. This includes administrators, security teams, and developers who work with vLLM or use it in their applications. They should review their deployments, assess the risk, and apply the necessary patches or mitigations.
Technical summary
The vLLM inference and serving engine for large language models, in versions from 0.22.0 to 0.23.0, has a vulnerability in the /v1/audio/transcriptions and /v1/audio/translations routes. An API caller can submit an oversized multipart upload, causing vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large. This can lead to memory pressure or process termination depending on deployment resource limits. The issue is fixed in version 0.24.0, and users should upgrade to this version or later.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to vLLM version 0.24.0 or later
- Implement monitoring for API usage and memory allocation
- Configure resource limits to prevent process termination
- Review and adjust the VLLM_MAX_AUDIO_CLIP_FILESIZE_MB limit as necessary
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. The vendor has released a patch in version 0.24.0. Users should verify their deployment and apply the patch or mitigations as needed. The vulnerability allows API callers to submit oversized multipart uploads, potentially causing memory pressure or process termination. The issue is fixed in version 0.24.0.
Official resources
-
CVE-2026-55646 CVE record
CVE.org
-
CVE-2026-55646 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:37.663Z and has not been modified since then.