Denial of Service in vLLM from vLLM project
CVE-2026-56340

8.7HIGH

Key Information:

Vendor: Vllm
Status: Vllm
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56340?

The identified vulnerability in vLLM involves inadequate validation for sparse tensors within the processing of multimodal embeddings. Specifically, versions from 0.10.2 to below 0.13.0 lack essential checks against malformed tensor indices, which can be exploited by malicious actors. When using the prompt-embeds feature, an attacker may submit specially crafted embedding requests containing negative or out-of-bound indices, leading to system crashes or resource exhaustion. This issue is an extension of a prior vulnerability that only disabled the affected feature by default without resolving the underlying problem.

Affected Version(s)

vLLM 0.10.2 < 0.13.0

vLLM 0.13.0

References

https://github.com/vllm-project/vllm/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/vllm-denial-of-servi...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

CVE-2026-56340 Data

JSON

Vllm

What is CVE-2026-56340?

Affected Version(s)

References

CVSS V4

Timeline