Skip to main content

vLLM CVE-2026-55646

| EUVDEUVD-2026-41914 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-07-06 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable via HTTP API; requires authenticated low-privilege credentials (PR:L); no confidentiality or integrity impact, only availability exhaustion via uncontrolled memory allocation.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 21:16 EUVD
Analysis Generated
Jul 06, 2026 - 20:15 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on vllm (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.22.0.

DescriptionCVE.org

vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0.

AnalysisAI

Memory exhaustion in vLLM 0.22.0-0.23.0 allows authenticated API callers to crash or destabilize the inference server by uploading arbitrarily large audio files. The /v1/audio/transcriptions and /v1/audio/translations endpoints invoke request.file.read() to fully buffer multipart uploads into process memory before the VLLM_MAX_AUDIO_CLIP_FILESIZE_MB size guard is evaluated, meaning the size limit is checked only after the damage is done. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege vLLM API credentials
Delivery
Craft oversized multipart audio upload (multi-GB)
Exploit
POST to /v1/audio/transcriptions or /v1/audio/translations
Execution
vLLM calls request.file.read() allocating memory before size check
Persist
Heap exhausted triggering OOM-kill or severe memory pressure
Impact
Inference service unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the vLLM API server and valid API credentials granting at least low-privilege access (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) accurately reflects the threat profile: network-reachable (AV:N), trivially low complexity (AC:L), but gated behind low-privilege authentication (PR:L), with impact limited entirely to availability (A:H, C:N, I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege vLLM API credentials (e.g., a shared API key from an internal inference platform) sends a multipart POST to `/v1/audio/transcriptions` containing a multi-gigabyte file payload. Before any size validation runs, vLLM's request handler calls `request.file.read()`, allocating gigabytes of heap memory in the inference server process. …
Remediation The primary remediation is upgrading to vLLM 0.24.0, where the fix is confirmed in commit b997071ec493765abbed990c65843ed05e4708a8 (see https://github.com/vllm-project/vllm/commit/b997071ec493765abbed990c65843ed05e4708a8) and pull request https://github.com/vllm-project/vllm/pull/45510. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vllm

View all
CVE-2025-32444 CRITICAL POC
10.0 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0

CVE-2024-11041 CRITICAL POC
9.8 Mar 20

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical sev

CVE-2026-22778 CRITICAL POC
9.8 Feb 02

Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal

CVE-2025-30202 HIGH POC
7.5 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), th

CVE-2026-24779 HIGH POC
7.1 Jan 27

vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where incons

CVE-2025-46560 MEDIUM POC
6.5 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5),

CVE-2026-22773 MEDIUM POC
6.5 Jan 10

Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).

CVE-2026-22807 CRITICAL
9.8 Jan 21

Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbit

CVE-2026-25960 CRITICAL
9.8 Mar 09

Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server i

CVE-2026-9540 MEDIUM POC
5.5 May 26

Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust sch

CVE-2025-29783 CRITICAL
9.0 Mar 19

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0)

CVE-2026-54232 HIGH
8.8 Jun 22

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments

Share

CVE-2026-55646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy