Description
A flaw has been found in LMCache up to 0.4.6. This affects the function hex_hash_to_int16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-04
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the hex_hash_to_int16 function of LMCache’s KV Cache Handler, where a 16‑bit hash is derived from hex data. This weak hashing algorithm, identified as CWE‑327 and CWE‑328, allows two distinct inputs to produce the same hash value. An attacker who can craft such collisions could replace or tamper with cache entries, effectively altering cached data or masking audit trails, thereby creating data integrity problems.

Affected Systems

LMCache users running versions up to 0.4.6 are affected. The vulnerable component is lmcache/integration/vllm/utils.py within the open‑source LMCache project. The issue is present in all distributions of this version range until a patch is released beyond 0.4.6.

Risk and Exploitability

The CVSS score is 2, indicating low overall severity, and EPSS data is not available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local execution and is considered difficult, with high complexity. A public exploit has already been published, but the attack vector is limited to environments where an attacker can run code locally against the LMCache service.

Generated by OpenCVE AI on June 4, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the pending patch by upgrading to an LMCache version newer than 0.4.6 once the pull request is merged and released.
  • Restrict local administrative access to the machines that host LMCache, ensuring that only trusted users can run code on these hosts.
  • Monitor the project’s issue tracker and pull‑request status so that the fix can be applied as soon as it becomes available

Generated by OpenCVE AI on June 4, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in LMCache up to 0.4.6. This affects the function hex_hash_to_int16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Title LMCache KV Cache utils.py hex_hash_to_int16 weak hash
First Time appeared Lmcache
Lmcache lmcache
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:lmcache:lmcache:*:*:*:*:*:*:*:*
Vendors & Products Lmcache
Lmcache lmcache
References
Metrics cvssV2_0

{'score': 2.4, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.6, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lmcache Lmcache
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T17:28:11.271Z

Reserved: 2026-06-04T05:34:15.425Z

Link: CVE-2026-10813

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-04T16:16:32.883

Modified: 2026-06-04T16:32:40.690

Link: CVE-2026-10813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T17:00:15Z

Weaknesses