CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-55646

CVE-2026-55646: Remote Denial of Service via Memory Exhaustion in vLLM Speech-to-Text Endpoints

Alon Barad
Alon Barad
Software Engineer

Jul 17, 2026·5 min read·2 visits

Executive Summary (TL;DR)

vLLM version 0.22.0 through 0.23.0 allocates system RAM for file uploads before validating size constraints. Attackers can exploit this to trigger out-of-memory (OOM) crashes on the serving host, causing a complete denial of service.

A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.

Vulnerability Overview

The vLLM framework is an open-source serving engine optimized for high-throughput and memory-efficient Large Language Model (LLM) inference. In versions 0.22.0 through 0.23.0, the framework includes speech-to-text API endpoints designed to parse and translate audio inputs. These endpoints, namely /v1/audio/transcriptions and /v1/audio/translations, expose an attack surface to authenticated clients.

This vulnerability belongs to the class of CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The engine fails to restrict raw memory allocations when parsing multipart HTTP file uploads. This behavior permits an attacker to send arbitrarily large payloads that exhaust system resources prior to validation checks.

Successful exploitation results in process termination. Because vLLM hosts computationally heavy models, a sudden resource depletion often causes the operating system's Out-Of-Memory (OOM) killer to terminate the main engine process. This results in a complete denial of service for all users relying on the affected instance.

Root Cause Analysis

The core technical defect resides in the execution flow within the speech-to-text API router. When a client uploads an audio file, Starlette (the underlying ASGI framework used by FastAPI) instantiates an UploadFile object. To parse the file contents, the route handler executes the expression audio_data = await request.file.read().

Executing read() without bounded constraints instructs Starlette to ingest the incoming multipart stream entirely. The framework allocates heap memory proportional to the size of the received file payload and stores it as a raw Python bytes object. This allocation occurs immediately upon receipt of the request.

While vLLM defines a configuration parameter named VLLM_MAX_AUDIO_CLIP_FILESIZE_MB (defaulting to 25 MB), this variable was only evaluated after the file was fully materialized in memory. If an attacker uploads a multi-gigabyte file, the server allocates gigabytes of physical RAM. If the allocated amount exceeds available memory, the host kernel triggers a SIGKILL to reclaim memory resources.

Vulnerable Execution Flow

The following diagram outlines the sequence of events leading to system-level process termination when an oversized upload is received:

Code Analysis & Fix Verification

In vulnerable versions, the route handler in vllm/entrypoints/speech_to_text/transcription/api_router.py processed incoming requests directly via standard Starlette file streams:

# Vulnerable Implementation
@router.post("/v1/audio/transcriptions")
async def create_transcriptions(...):
    ...
    # Memory is allocated dynamically for the full file size here
    audio_data = await request.file.read()
    ...

To resolve this flaw, the developers introduced a validation helper named read_upload_with_limit in the file vllm/entrypoints/speech_to_text/base/utils.py and modified the router endpoints to use it:

# Patched Implementation
@router.post("/v1/audio/transcriptions")
async def create_transcriptions(...):
    ...
    # Validation and bounded streaming are applied during ingestion
    audio_data = await read_upload_with_limit(request.file)
    ...

This helper verifies the Content-Length header via file.size. If the metadata reports a size exceeding VLLM_MAX_AUDIO_CLIP_FILESIZE_MB, the server rejects the request immediately. To protect against spoofed or missing headers, the helper processes the stream in incremental chunks of 64 KiB (_READ_CHUNK_SIZE), keeping a running total of ingested bytes. If this total crosses the threshold, the upload is aborted and the stream is discarded. This is a complete fix that prevents uncontrolled heap expansion.

Exploitation Methodology

Exploitation requires network reachability to the /v1/audio/transcriptions or /v1/audio/translations endpoints. If the host requires API key authentication, the attacker must possess standard credentials. No specialized tools are required; standard HTTP client libraries can facilitate the attack.

An attacker crafts a multipart form-data payload containing an excessively large file. Because Starlette processes streamed chunked uploads, the attacker can use the Transfer-Encoding: chunked header to stream data without declaring the Content-Length header, bypassing basic frontend gateway checks.

Upon receiving the stream, the backend continuously stores incoming data in heap memory. The allocation continues until the server's free physical memory is exhausted. At this stage, the OS kernel's Out-Of-Memory subsystem triggers and terminates the vllm worker process, resulting in an immediate denial of service.

Impact Assessment

The impact of this vulnerability is classified as High for availability, but carries zero impact for confidentiality or integrity. Because the engine processes large, complex transformer models, these servers typically run with high baseline memory overhead. Consequently, even small spikes in heap usage can cause process termination.

When the vLLM process is terminated, all ongoing and queued inference tasks across other endpoints (including standard text-generation models) fail immediately. This behavior disrupts operations across any microservices reliant on the affected vLLM instance.

The vulnerability is assigned a CVSS score of 6.5 (Medium). The requirement for a valid API token in authenticated environments serves as the primary barrier preventing automated mass-exploitation, maintaining lower overall exposure risk.

Remediation & Mitigation

The primary remediation strategy is upgrading the vllm library to version 0.24.0 or later. This version contains the read_upload_with_limit implementation that protects against both buffer exhaustion and chunked upload evasion.

If upgrading immediately is not feasible, administrators can apply mitigation at the network layer. Configure reverse proxies or API gateways (such as Nginx or Envoy) to restrict client payload sizes on these routes. For example, adding client_max_body_size 25M; in Nginx prevents oversized streams from reaching the vLLM backend.

Additionally, administrators can enforce strict containerization constraints. Limiting container memory bounds via cgroups prevents host-wide resource depletion and allows orchestration tools (e.g., Kubernetes) to automatically restart the terminated container, reducing overall downtime.

Official Patches

vllm-projectPull Request #45510: Security update for audio endpoint file uploads
vllm-projectCommit implementing read_upload_with_limit security controls

Fix Analysis (1)

Technical Appendix

CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.29%
Top 79% most exploited

Affected Systems

vLLM Serving Engine running on PyPI ecosystem

Affected Versions Detail

Product
Affected Versions
Fixed Version
vllm
vllm-project
>= 0.22.0, < 0.24.00.24.0
AttributeDetail
CWE IDCWE-400, CWE-770
Attack VectorNetwork (Remote)
CVSS v3.16.5 (Medium)
Exploit MaturityPoC / Known Mechanics
ImpactDenial of Service (DoS)
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not control or properly limit the allocation and consumption of a resource, leading to memory exhaustion and denial of service.

Vulnerability Timeline

Remediation commit integrated into main branch of vLLM
2026-06-15
Security advisory published publicly on GitHub Advisories
2026-07-06
Vulnerability published on NVD and assigned CVE-2026-55646
2026-07-06

References & Sources

  • [1]vLLM Security Advisory GHSA-v82g-2437-67m2
  • [2]National Vulnerability Database: CVE-2026-55646

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•4 minutes ago•CVE-2026-53597
8.7

CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing

CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.

Amit Schendel
Amit Schendel
0 views•6 min read
•about 1 hour ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
2 views•7 min read
•about 3 hours ago•CVE-2026-34760
5.9

CVE-2026-34760: Adversarial Prompt Injection via Unweighted Audio Downmixing in vLLM

An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.

Amit Schendel
Amit Schendel
3 views•8 min read
•about 8 hours ago•GHSA-GGXF-9F6J-W742
5.3

GHSA-GGXF-9F6J-W742: Use-After-Free in Diesel SQLite Deserialization

A memory unsoundness vulnerability exists in the Diesel ORM crate when deserializing SQLite databases from raw bytes. The flaw is caused by a failure to bind the lifetime of the input buffer to the lifetime of the connection object, resulting in a Use-After-Free condition in the underlying libsqlite3 C library when subsequent queries are executed.

Alon Barad
Alon Barad
4 views•6 min read
•about 9 hours ago•CVE-2026-52870
7.6

CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 10 hours ago•GHSA-48QW-824M-86PR
7.7

GHSA-48QW-824M-86PR: Privilege Escalation and Sandbox Escape in ArcadeDB Server

A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.

Alon Barad
Alon Barad
6 views•6 min read