Inference Engine Vulnerability in vLLM Affects Large Language Model Processing
CVE-2026-54235

6.9MEDIUM

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54235?

The vLLM inference and serving engine for large language models has a vulnerability related to its temperature validation gates. Prior to version 0.23.1rc0, the software employed comparison operators for handling temperature values, which failed to accurately process NaN (Not a Number) and positive Infinity according to Python's IEEE 754 float semantics. This flaw prevents correct validation and allows these problematic values to propagate into GPU sampling kernels, resulting in undefined behavior and potential crashes of the inference worker. This issue has been rectified in the release of version 0.23.1rc0.

Affected Version(s)

vllm < 0.23.1rc0

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/45116
x_refsource_MISC
https://github.com/vllm-project/vllm/commit/d598d239737cf...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.