{"data":{"id":"bff55a5b-2c0b-465a-92ee-437ca396f40a","title":"GHSA-3mwp-wvh9-7528: vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server","summary":"vLLM's OpenAI-compatible API server has a denial-of-service vulnerability where an attacker can send a request with an extremely large `n` parameter (a value that controls how many independent response sequences to generate). Because the server doesn't validate an upper limit on this parameter, it attempts to create millions of copies of the request object in memory, which overwhelms the system and causes it to crash from running out of memory (OOM, out-of-memory).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-3mwp-wvh9-7528","publishedAt":"2026-04-03T15:35:48.000Z","cveId":"CVE-2026-34756","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["vllm@>= 0.1.0, < 0.19.0 (fixed: 0.19.0)"],"affectedVendors":[],"affectedVendorsRaw":["vLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-03T15:35:48.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}