Skip to main content

vLLM CVE-2026-54234

| EUVDEUVD-2026-41921 HIGH
Improper Input Validation (CWE-20)
2026-07-06 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated client crashes the shared worker with legal requests (AV:N/PR:N/AC:L); impact is availability-only DoS, so C:N/I:N/A:H and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 22:02 EUVD
Analysis Generated
Jul 06, 2026 - 21:02 vuln.today

DescriptionCVE.org

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.

AnalysisAI

Denial of service in the vLLM LLM inference server (all versions prior to 0.24.0) allows a remote client to crash the shared engine worker by sending a specific multi-request speculative decoding workload. The rejection sampler produces a recovered token equal to the vocabulary-size boundary, which is coerced to -1, written back into the drafter's input ids, and later dereferenced by the embedding/attention path, triggering a GPU device-side assertion that kills the worker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach exposed gRPC Generate endpoint
Delivery
Submit crafted multi-request speculative workload
Exploit
Sampler emits vocab-size boundary token
Install
Value coerced to -1 in drafter input ids
C2
Out-of-vocab embedding/attention lookup
Execute
GPU device-side assertion crashes worker
Impact
Concurrent requests aborted, service-wide DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires the target vLLM deployment (before 0.24.0) to be running with speculative decoding enabled and to expose the public gRPC Generate and Abort endpoints to the attacker; the attacker then submits a frontend-legal multi-request speculative-decoding workload that steers the rejection sampler to the vocabulary-size boundary token. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a genuine but bounded (availability-only) risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to submit generation requests to a vLLM deployment that has speculative decoding enabled sends a crafted multi-request workload that drives the rejection sampler to emit the vocab_size boundary token. The out-of-vocabulary value is fed back into the model's embedding/attention path and triggers a GPU device-side assertion, crashing the shared engine worker and aborting all concurrent users' requests until the worker restarts. …
Remediation Vendor-released patch: upgrade vLLM to version 0.24.0 or later, which fixes the boundary-token handling in the rejection sampler (advisory GHSA-8wr5-jm2h-8r4f; fix in PR 44744 / commit 8a5cf1ccd65e8ac7635c402c1ec0b08988bc26ca). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enable request-level rate limiting and input validation on all vLLM instances; configure monitoring/alerting for worker process crashes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vllm

View all
CVE-2025-32444 CRITICAL POC
10.0 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0

CVE-2024-11041 CRITICAL POC
9.8 Mar 20

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical sev

CVE-2026-22778 CRITICAL POC
9.8 Feb 02

Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal

CVE-2025-30202 HIGH POC
7.5 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), th

CVE-2026-24779 HIGH POC
7.1 Jan 27

vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where incons

CVE-2025-46560 MEDIUM POC
6.5 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5),

CVE-2026-22773 MEDIUM POC
6.5 Jan 10

Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).

CVE-2026-22807 CRITICAL
9.8 Jan 21

Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbit

CVE-2026-25960 CRITICAL
9.8 Mar 09

Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server i

CVE-2026-9540 MEDIUM POC
5.5 May 26

Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust sch

CVE-2025-29783 CRITICAL
9.0 Mar 19

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0)

CVE-2026-54232 HIGH
8.8 Jun 22

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments

Share

CVE-2026-54234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy