EUVD-2026-31810
GHSA-98f3-hwg4-4rf7
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The OpenAI-compatible serving path must be enabled (vllm's default when launched with --served-model-name or equivalent API server mode). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.5 with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects moderate severity but understates operational risk for publicly exposed vllm deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a publicly exposed vllm OpenAI-compatible endpoint submits a crafted /v1/completions or /v1/chat/completions request with logprobs=-1 (full vocabulary) and a high n value (many parallel completions). The v1 scheduler, lacking any logprob budget, computes the cost as n × vocab_size (potentially millions), allocates the corresponding memory and GPU compute, causing OOM errors or complete latency stalls that render the inference server unresponsive. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - PR #37594 at https://github.com/vllm-project/vllm/pull/37594 implements the fix but was awaiting acceptance at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today