Denial of Service Risk in vLLM Inference Engine by Vendor vLLM
CVE-2026-54233

6.5MEDIUM

Key Information:

Vendor: Vllm-project
Status: Vllm
Vendor: CVE Published:; 22 June 2026

🔔 Create Vllm-project Vulnerability Alert

What is CVE-2026-54233?

The vLLM inference and serving engine for large language models contains a vulnerability that allows for a denial of service. Prior to version 0.23.1rc0, the /v1/audio/transcriptions endpoint did not effectively limit the size of the decoded PCM output, which could expand significantly from a compressed OPUS file. As a result, a file as small as 25MB could decode into roughly 14.9GB of float32 PCM data, potentially overwhelming system resources and leading to service interruptions for users. This issue has been addressed in subsequent updates to ensure safer handling of audio uploads.

Affected Version(s)

vllm < 0.23.1rc0

References

https://github.com/vllm-project/vllm/security/advisories/...

x_refsource_CONFIRM

https://github.com/vllm-project/vllm/pull/44970

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54233 Data

JSON