CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-34760

CVE-2026-34760: Adversarial Prompt Injection via Unweighted Audio Downmixing in vLLM

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 17, 2026·8 min read·3 visits

Executive Summary (TL;DR)

vLLM prior to 0.18.0 downmixes multi-channel audio using an unweighted mathematical mean, allowing hidden voice commands to be injected into models via physically inaudible channels.

An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.

Vulnerability Overview

The integration of multimodal speech-to-text capabilities within modern LLM inference engines requires robust media preprocessing pipelines. Within vLLM, an open-source high-throughput LLM serving library, input audio waveforms are ingested, resampled, and normalized before being passed to downstream models such as Whisper, Qwen-Audio, or FireRedASR. The preprocessing pipeline must adapt multi-channel audio tracks (such as stereo 2.0 or 5.1 surround configurations) into a single, one-dimensional mono array for neural network ingestion.

CVE-2026-34760 (GHSA-6c4r-fmh3-7rh8) is an improper input validation vulnerability residing in the preprocessing engine of vLLM versions 0.5.5 through 0.17.2. The core of the vulnerability lies in the lack of semantic alignment between human auditory perception standards and the mathematical average used to mix down multiple channels. An attacker can exploit this discrepancy to bypass voice input filters, insert hidden prompts, or execute prompt injection attacks without detection by human reviewers auditing the input streams.

Because physical audio standards dictate that sub-audible low-frequency tracks or secondary surround channels are largely disregarded by human hearing, an adversary can craft a file where malicious payload data is placed solely in those channels. Meanwhile, the primary left/right channels contain benign voice requests. When processed by a vulnerable vLLM node, both streams are blended with equal weight, combining the adversarial instruction and benign prompt into the final transcription input.

Root Cause Analysis

Standard audio processing protocols define precise methods for reducing multi-channel sound to a single monaural channel. The International Telecommunication Union standard, ITU-R BS.775-4, establishes acoustic weighting coefficients to protect speech intelligibility and simulate human auditory spatial integration. Under this standard, the center channel carrying voice is preserved at full power, while front-left and front-right channels are weighted proportionally, and surround channels are attenuated. Crucially, the Low-Frequency Effects (LFE) channel, which represents subwoofer frequencies below 120 Hz, is completely discarded during mono downmixing because it lacks directional information or intelligible phonetic content.

Vulnerable configurations of vLLM did not apply these standardized acoustic models. Instead, the input processing system relied on the librosa library to handle file loading and downmixing. When converting multi-channel media to mono via its ingestion path, librosa bypasses layout-specific physical parameters and executes a simple arithmetic mean across the channels. This mathematical reduction merges every channel with uniform weight:

$$\text{Mono}[t] = \frac{1}{N}\sum_{i=1}^{N} \text{Channel}_i[t]$$

This unweighted average treats the LFE and rear surround channels identically to the primary center and front stereo channels. Consequently, low-frequency data or surround noise that is physically imperceptible or highly attenuated under acoustic guidelines is injected directly into the output stream at equal amplitude. This creates a processing differential where the human auditor hears only the primary stereo channels, while the AI transcription engine receives a composite signal containing the low-frequency payload.

Code-Level Analysis

To understand the flaw at the implementation level, we can examine the vulnerable processing file structure. In vulnerable versions of vllm/entrypoints/openai/speech_to_text/speech_to_text.py, the audio file loader utilized librosa.load which automatically reduced channels to mono by calling its internal flat average function:

# VULNERABLE CODE PATH
with io.BytesIO(audio_data) as buf:
    # librosa.load internally downmixes multi-channel arrays to mono
    # using a simple unweighted arithmetic mean over numpy arrays
    y, sr = librosa.load(buf, sr=self.asr_config.sample_rate)

The remediation patch, implemented in Pull Request #37058 and merged in commit c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4, completely deprecated the librosa loading pipeline in favor of PyAV (av). PyAV links against FFmpeg's libswresample C-library, which implements layout-aware audio channel conversion. The refactored code in vllm/multimodal/media/audio.py uses av.AudioResampler to safely downmix waveforms:

# PATCHED CODE PATH
def load_audio_pyav(
    path: BytesIO | Path | str,
    *,
    sr: float | None = 22050,
    mono: bool = True,
) -> tuple[npt.NDArray, float]:
    native_sr = None
    try:
        with av.open(path) as container:
            if not container.streams.audio:
                raise ValueError("No audio stream found.")
            stream = container.streams.audio[0]
            stream.thread_type = "AUTO"
            native_sr = stream.rate
            sr = sr or native_sr
 
            chunks: list[npt.NDArray] = []
            needs_resampling = not math.isclose(
                float(sr),
                float(native_sr),
                rel_tol=0.0,
                abs_tol=1e-6,
            )
            # Correctly configure PyAV layout to "mono" to enforce
            # FFmpeg layout-aware and acoustic-weighted downmixing
            resampler = (
                av.AudioResampler(format="fltp", layout="mono", rate=sr)
                if needs_resampling
                else None
            )
            # Ingestion loops and handles frame processing

By instantiating the av.AudioResampler with layout="mono", vLLM offloads downmixing to FFmpeg. FFmpeg enforces standard ITU coefficients during downmixing, dropping the LFE channel entirely and reducing the surround coefficients. This prevents off-channel signals from bleeding into the primary transcript stream at unweighted amplitudes.

Exploitation Mechanics

The execution of an attack leveraging CVE-2026-34760 requires the construction of a dual-track adversarial audio file. An attacker targets an application endpoint utilizing a speech-enabled model (e.g., Whisper) backed by a vulnerable vLLM server. The attacker configures a standard audio format container, such as WAV or FLAC, with a multi-channel configuration (for instance, a 5.1 surround sound mapping).

The attacker places standard, clean speech into the Front Left and Front Right channels. This benign speech is designed to pass physical human quality assurance or automated safety checks. Concurrently, the attacker writes an administrative override or jailbreak sequence into the Low-Frequency Effects (LFE) channel. Because standard human hearing is highly insensitive to frequencies below 80 Hz, and physical consumer speakers frequently attenuate or ignore the LFE channel, a human auditor listening to the file over normal audio monitoring equipment will only perceive the benign conversation.

Upon submission to the vLLM API endpoint, the vulnerable engine parses the file via librosa.load(), combining the channels mathematically with equal weight. The merged waveform contains both the audible benign request and the low-frequency adversarial prompt. When passed to the speech-to-text neural network, the engine transcribes the combined adversarial payload, causing the downstream application to execute unauthorized operations or bypass system prompt barriers.

Residual Vulnerability Risk Assessment

While the integration of PyAV in vLLM 0.18.0 mitigates standard file-loading attacks, a thorough technical review reveals a significant residual attack surface. The codebase retains fallback ingestion paths that continue to utilize insecure numpy processing techniques. If PyAV fails to decode a custom container, the loader falls back to soundfile, exposing a vulnerable routing path.

In vllm/multimodal/media/audio.py, the fallback function load_audio_soundfile is written as follows:

# VULNERABLE FALLBACK IN PATCHED CODE
def load_audio_soundfile(
    path: BytesIO | Path | str,
    *,
    sr: float | None = 22050,
    mono: bool = True,
) -> tuple[np.ndarray, int]:
    with soundfile.SoundFile(path) as f:
        native_sr = f.samplerate
        y = f.read(dtype="float32", always_2d=False).T
 
    if mono and y.ndim > 1:
        # Flat arithmetic mean is still executed on multi-channel arrays
        y = np.mean(y, axis=tuple(range(y.ndim - 1)))

Because the code explicitly falls back to soundfile and runs a flat np.mean(), an attacker who can craft a file that triggers a PyAV parsing error (e.g., malformed headers or obscure codecs) but is successfully parsed by soundfile can force vLLM to use the vulnerable fallback path. This reinstates the flat arithmetic downmixing vulnerability, allowing the exact same multi-channel exploit to succeed even on a patched server.

Remediation & Hardening

Organizations hosting vLLM models must perform urgent patching and deploy defensive preprocessing guards. Updating vLLM to version 0.18.0 or newer removes librosa and implements the PyAV layout-aware mono resampling as the default operational pipeline. This reduces the risk of casual multi-channel prompt hijacking.

Because of the residual risk associated with the soundfile fallback path, deployments must validate and normalize incoming media arrays before ingestion by vLLM. Security teams should enforce strict downmixing and filtering at the gateway level. For example, utilizing an isolated preprocessing step via FFmpeg strips non-standard channels and applies high-pass filtering to neutralize sub-audible payloads:

# Strict downmixing using ITU-R BS.775-4 and cutting frequencies below 80 Hz
ffmpeg -i incoming_input.wav -ac 1 -af "highpass=f=80" normalized_output.wav

Furthermore, monitoring applications should deploy spectral and energy analysis scripts to detect incoming multi-channel uploads with high-energy variance between physical tracks. A significant ratio of low-frequency energy in the subwoofer track compared to the vocal spectrum indicates a high probability of an out-of-band adversarial payload.

Official Patches

vllm-projectvLLM Security Advisory for CVE-2026-34760
vllm-projectvLLM Pull Request #37058 - Replace librosa with PyAV for layout-aware mono resampling

Technical Appendix

CVSS Score
5.9/ 10
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Probability
0.27%
Top 82% most exploited

Affected Systems

vLLM inference and serving engine

Affected Versions Detail

Product
Affected Versions
Fixed Version
vllm
vllm-project
>= 0.5.5, < 0.18.00.18.0
AttributeDetail
CWE IDCWE-20 (Improper Input Validation)
Attack VectorNetwork (AV:N)
CVSS v3.1 Score5.9 (Medium)
EPSS Score0.00267 (18.46th percentile)
ImpactHigh Integrity, Low Availability
Exploit StatusProof-of-Concept
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
CWE-20
Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Vulnerability Timeline

Fix Pull Request #37058 submitted
2026-03-21
Security Advisory GHSA-6c4r-fmh3-7rh8 published and CVE-2026-34760 assigned
2026-04-02
vLLM version 0.18.0 released with PyAV refactor
2026-04-02

References & Sources

  • [1]NVD - CVE-2026-34760
  • [2]vLLM Security Advisory (GHSA-6c4r-fmh3-7rh8)
  • [3]Patch Commit c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4
  • [4]vLLM Official v0.18.0 Release

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•17 minutes ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
0 views•7 min read
•about 1 hour ago•CVE-2026-55646
6.5

CVE-2026-55646: Remote Denial of Service via Memory Exhaustion in vLLM Speech-to-Text Endpoints

A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.

Alon Barad
Alon Barad
2 views•5 min read
•about 7 hours ago•GHSA-GGXF-9F6J-W742
5.3

GHSA-GGXF-9F6J-W742: Use-After-Free in Diesel SQLite Deserialization

A memory unsoundness vulnerability exists in the Diesel ORM crate when deserializing SQLite databases from raw bytes. The flaw is caused by a failure to bind the lifetime of the input buffer to the lifetime of the connection object, resulting in a Use-After-Free condition in the underlying libsqlite3 C library when subsequent queries are executed.

Alon Barad
Alon Barad
3 views•6 min read
•about 8 hours ago•CVE-2026-52870
7.6

CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 9 hours ago•GHSA-48QW-824M-86PR
7.7

GHSA-48QW-824M-86PR: Privilege Escalation and Sandbox Escape in ArcadeDB Server

A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.

Alon Barad
Alon Barad
6 views•6 min read
•about 15 hours ago•CVE-2026-59950
7.6

CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK

CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.

Alon Barad
Alon Barad
7 views•6 min read