AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-7141: A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseApril 27, 2026CVE-2026-7141

Summary

A vulnerability was found in vllm (a language model serving framework) up to version 0.19.0 in the has_mamba_layers function, which can result in uninitialized resource (memory that hasn't been set to a known value before use). An attacker can trigger this flaw remotely, though the attack is difficult to execute and requires high complexity.

Solution / Mitigation

Deploy patch 1ad67864c0c20f167929e64c875f5c28e1aad9fd to fix this issue.

Vulnerability Details

CVSS Score

5.6(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

network

Attack Complexity

high

Privileges Required

none

User Interaction

none

Disclosure Date

April 27, 2026

Classification

Attack Type

Other

Attack SophisticationAdvanced

Impact (CIA+S)

integrityavailability

Taxonomy References

CWE (Weakness Type)

CWE-908

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-7141

First tracked: April 27, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 85%