CVE-2026-5497: vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded f
Summary
vLLM (an open-source tool for running large language models) versions 0.8.0 and later have a vulnerability where attackers can crash the server by sending a single request with thousands of video frames packed into one data URL. The vulnerability exists because the code that processes video frames doesn't limit how many frames it will try to load into memory, so an attacker can force it to decode so many frames that the server runs out of memory and stops working.
Vulnerability Details
EPSS: 0.0%
June 11, 2026
Classification
Affected Vendors
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-5497
First tracked: June 11, 2026 at 08:03 AM
Classified by LLM (prompt v3) · confidence: 95%