{"data":{"id":"402bf3d7-d8a5-410b-b4e7-d9b4f780eea2","title":"CVE-2026-55646: vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions a","summary":"vLLM (a system for running large language models) versions 0.22.0 to 0.23.0 have a vulnerability where two audio processing routes load uploaded files entirely into memory before checking if they exceed the maximum allowed file size limit (25 MB by default), allowing attackers to cause memory exhaustion or crash the system by uploading oversized files. This happens because the size check occurs too late in the process, after the file has already been loaded.","solution":"This issue is fixed in version 0.24.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-55646","publishedAt":"2026-07-06T20:16:37.663Z","cveId":"CVE-2026-55646","cweIds":["CWE-400","CWE-770"],"cvssScore":"6.5","cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["vLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-06T20:16:37.663Z","capecIds":["CAPEC-125","CAPEC-130"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}