CVE-2026-55574: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_ou
Summary
vLLM, a system that runs large language models efficiently, has a vulnerability in versions before 0.24.0 where users can submit malicious regular expressions (patterns used to match text) through the structured_outputs.regex parameter that cause the system to hang indefinitely, making it unavailable to other users. The vulnerability exists because the regex patterns are sent directly to backend compilers without checking if they will take too long to process, and patterns with nested quantifiers (like repeated matching operations inside each other) can cause exponential state-space expansion (the number of possible states the regex checker must evaluate grows exponentially). An attacker could exploit this to perform a denial-of-service attack (making a service unavailable to legitimate users).
Solution / Mitigation
Update vLLM to version 0.24.0 or later, where this issue is fixed.
Vulnerability Details
EPSS: 0.0%
July 6, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2026-47482: NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-55574
First tracked: July 6, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 95%