Memory Management Flaw in vLLM Affects Users
CVE-2026-54234

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-54234?

The vLLM inference engine contains a vulnerability tied to its multi-request speculative decoding process. When an input exceeds the model's vocabulary boundary prior to version 0.24.0, it triggers a negative value conversion, leading to a crash of the engine worker. This crash disrupts service for concurrent requests, causing significant downtime for users relying on the shared engine. The vulnerability is reachable via public gRPC endpoints, posing a risk to systems where remote clients can make generation requests. Users are encouraged to update to version 0.24.0 or later to mitigate this issue.

Affected Version(s)

vllm < 0.24.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.