Memory Leak Vulnerability in vLLM Inference Engine by vLLM Project
CVE-2026-54236

5.3MEDIUM

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54236?

The vLLM inference engine has a vulnerability that allows an unauthenticated attacker to exploit certain response paths. Prior to version 0.23.1rc0, the engine did not sanitize error messages correctly, leading to potential leakage of sensitive heap memory addresses via unsanitized exception messages. Attackers could manipulate the system by sending malformed image bytes through the Anthropic Messages API, triggering an UnidentifiedImageError that exposed memory addresses in the response. This issue has been addressed and fixed in version 0.23.1rc0.

Affected Version(s)

vllm < 0.23.1rc0

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/45119
x_refsource_MISC
https://github.com/vllm-project/vllm/commit/9492362972938...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.