CVE-2026-55646: vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions a
Summary
vLLM (a system for running large language models) versions 0.22.0 to 0.23.0 have a vulnerability where two audio processing routes load uploaded files entirely into memory before checking if they exceed the maximum allowed file size limit (25 MB by default), allowing attackers to cause memory exhaustion or crash the system by uploading oversized files. This happens because the size check occurs too late in the process, after the file has already been loaded.
Solution / Mitigation
This issue is fixed in version 0.24.0.
Vulnerability Details
6.5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
network
low
low
none
July 6, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-47482: NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-55646
First tracked: July 6, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 95%