Denial of Service Vulnerability in vLLM by VLLM Project
CVE-2026-34755

6.5MEDIUM

Key Information:

Vendor: Vllm-project
Status: Vllm
Vendor: CVE Published:; 6 April 2026

🔔 Create Vllm-project Vulnerability Alert

What is CVE-2026-34755?

The vLLM inference and serving engine for large language models contains a vulnerability in the VideoMediaIO.load_base64() method. Specifically, from versions 0.7.0 to before 0.19.0, this method fails to enforce a limit on the number of JPEG frames extracted from base64 data URLs. An attacker can exploit this flaw by sending a single API request with numerous comma-separated base64-encoded JPEG frames, overwhelming the server's memory and leading to a crash. This critical flaw has been addressed in version 0.19.0.

Affected Version(s)

vllm >= 0.7.0, < 0.19.0

References

https://github.com/vllm-project/vllm/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34755 Data

JSON