CVE-2026-54234: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal
Summary
vLLM (a system for running LLMs efficiently) versions before 0.24.0 have a bug where certain requests can cause the rejection sampler (a component that filters generated tokens) to produce an invalid token value that crashes the engine's GPU worker. Because these requests can be sent remotely through public endpoints, an attacker can trigger this crash to shut down the service for all users until the worker restarts, creating a denial of service attack (making a service unavailable to legitimate users).
Solution / Mitigation
Update to vLLM version 0.24.0 or later, where this issue is fixed.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
network
low
none
none
July 6, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-47482: NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54234
First tracked: July 6, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 95%