Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated client crashes the shared worker with legal requests (AV:N/PR:N/AC:L); impact is availability-only DoS, so C:N/I:N/A:H and scope unchanged.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.
AnalysisAI
Denial of service in the vLLM LLM inference server (all versions prior to 0.24.0) allows a remote client to crash the shared engine worker by sending a specific multi-request speculative decoding workload. The rejection sampler produces a recovered token equal to the vocabulary-size boundary, which is coerced to -1, written back into the drafter's input ids, and later dereferenced by the embedding/attention path, triggering a GPU device-side assertion that kills the worker. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target vLLM deployment (before 0.24.0) to be running with speculative decoding enabled and to expose the public gRPC Generate and Abort endpoints to the attacker; the attacker then submits a frontend-legal multi-request speculative-decoding workload that steers the rejection sampler to the vocabulary-size boundary token. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a genuine but bounded (availability-only) risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to submit generation requests to a vLLM deployment that has speculative decoding enabled sends a crafted multi-request workload that drives the rejection sampler to emit the vocab_size boundary token. The out-of-vocabulary value is fed back into the model's embedding/attention path and triggers a GPU device-side assertion, crashing the shared engine worker and aborting all concurrent users' requests until the worker restarts. … |
| Remediation | Vendor-released patch: upgrade vLLM to version 0.24.0 or later, which fixes the boundary-token handling in the rejection sampler (advisory GHSA-8wr5-jm2h-8r4f; fix in PR 44744 / commit 8a5cf1ccd65e8ac7635c402c1ec0b08988bc26ca). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enable request-level rate limiting and input validation on all vLLM instances; configure monitoring/alerting for worker process crashes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical sev
Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), th
vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where incons
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5),
Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).
Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbit
Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server i
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust sch
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0)
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41921