CVE-2024-11041: vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses
highvulnerabilityLLM-Specific
security
Summary
vllm version v0.6.2 has a vulnerability in its MessageQueue.dequeue() function that uses pickle.loads (a Python method that reconstructs objects from serialized data) to process data directly from network sockets without validation. An attacker can send a malicious serialized payload that causes RCE (remote code execution, where an attacker runs commands on a target system), allowing them to execute arbitrary code on a victim's machine.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 1.3%
Classification
Attack Type
Model Theft
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-11041
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 92%