Skip to main content

vLLM CVE-2026-56340

| EUVD-2026-38129 HIGH
Improper Input Validation (CWE-20)
2026-06-20 VulnCheck
Denial Of Service Buffer Overflow Vllm
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network-reachable inference API needing a low-privilege caller (PR:L), no user interaction; demonstrated impact is crash/DoS (A:H) with only potential, unproven memory corruption, so C and I are L.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 05:53 vuln.today
Analysis Generated
Jun 22, 2026 - 05:53 vuln.today
Patch available
Jun 20, 2026 - 20:01 EUVD

DescriptionCVE.org

vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause.

AnalysisAI

Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify vLLM endpoint with prompt-embeds enabled
Delivery
Obtain low-privilege API credential
Exploit
Craft embedding tensor with malformed sparse indices
Install
Submit inference request to multimodal endpoint
C2
Bypass disabled PyTorch invariant checks
Execute
Trigger crash, resource exhaustion, or OOB memory write
Impact
Deny service or corrupt inference process memory
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vLLM server must have the prompt-embeds (multimodal embeddings) feature explicitly enabled - it is disabled by default since the CVE-2025-62164 remediation, so vanilla deployments are not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 base 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) is consistent with a network-reachable, low-privilege bug yielding high impact across confidentiality, integrity, and availability - driven by the documented potential for write-what-where memory corruption, not merely the DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant or low-privileged user on a multi-tenant vLLM inference service with prompt-embeds enabled submits an inference request whose embedding tensor carries crafted sparse indices that are negative or exceed the declared dimensions. PyTorch accepts the tensor without invariant checks, and downstream kernels read or write out-of-bounds memory, immediately crashing the worker (denial of service for all co-located tenants) with the documented potential to escalate into write-what-where memory corruption. …
Remediation Vendor-released patch: upgrade vLLM to 0.13.0 or later, which adds explicit sparse tensor invariant validation per pull request https://github.com/vllm-project/vllm/pull/30649 and the advisory at https://github.com/vllm-project/vllm/security/advisories/GHSA-mcmc-2m55-j8jj. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Catalog all vLLM 0.10.2-0.12.x deployments in production and development; confirm API access logging is enabled; prepare rollback procedures. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54232 HIGH
8.8 Jun 22

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments
CVE-2025-71379 MEDIUM
5.3 Jun 20

Regular expression denial of service in vLLM versions 0.6.3 through 0.8.x exposes three distinct attack surfaces - the L

Share

CVE-2026-56340 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy