CVE-2026-9540 vllm-project CVE debrief

Who should care

Organizations operating vLLM inference services with OpenAI-compatible endpoints exposed to external networks, particularly those serving production workloads where availability is critical. ML platform teams, MLOps engineers, and security teams responsible for AI/ML infrastructure should prioritize this vulnerability given the public exploit availability and pending patch status.

Technical summary

The vulnerability resides in vLLM 0.19.0's OpenAI-compatible serving path, where improper handling of certain requests can lead to resource exhaustion or service disruption. The attack vector is network-based with no authentication required. Root cause appears related to CWE-404 (Improper Resource Shutdown or Release), suggesting inadequate cleanup of connections, streams, or processing threads. The publicly available exploit enables remote attackers to degrade or disable model serving capabilities. Pending pull request #37594 addresses the underlying resource management deficiency.

Defensive priority

medium

Recommended defensive actions

• Monitor vLLM serving infrastructure for anomalous request patterns that may indicate exploitation attempts
• Review and restrict network access to vLLM OpenAI-compatible endpoints to trusted sources only
• Track GitHub pull request #37594 for merge status and apply patch immediately upon release
• Consider implementing rate limiting and request size constraints as compensating controls
• Review vLLM issue #37343 for technical details on affected request patterns

Evidence notes

Vulnerability disclosed 2026-05-26 via NVD with VulDB as CNA. Affects vLLM 0.19.0 OpenAI-compatible serving path. CWE-404 (Improper Resource Shutdown or Release) identified. Pull request #37594 submitted for remediation. Exploit status marked as public per CVSS 4.0 vector (E:P).

Official resources