Memory Management Flaw in vLLM Affects Users
CVE-2026-54234
7.5HIGH
What is CVE-2026-54234?
The vLLM inference engine contains a vulnerability tied to its multi-request speculative decoding process. When an input exceeds the model's vocabulary boundary prior to version 0.24.0, it triggers a negative value conversion, leading to a crash of the engine worker. This crash disrupts service for concurrent requests, causing significant downtime for users relying on the shared engine. The vulnerability is reachable via public gRPC endpoints, posing a risk to systems where remote clients can make generation requests. Users are encouraged to update to version 0.24.0 or later to mitigate this issue.
Affected Version(s)
vllm < 0.24.0
