Description
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.
Published: 2026-07-06
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when a speculative decoding workload causes the rejection sampler to produce a recovered token equal to the model vocabulary size boundary. This token is converted to negative one and passed into the engine’s drafter input ids, leading to an out‑of‑vocabulary value that is later used by the model’s embedding and attention layers. The engine worker eventually crashes due to a GPU device‑side assertion. The result is a process crash that terminates the shared engine worker, aborting any concurrent requests and causing a service‑wide denial of service for all clients until the worker is restarted. The weakness is an out‑of‑bounds input resulting in an assertion failure (CWE‑20) and a related memory‑access issue (CWE‑1284).

Affected Systems

vllm-project vllm, all releases prior to 0.24.0. The vulnerability is present in every version of vLLM that predates the 0.24.0 release, which was released to correct this flaw. Clients using the public gRPC Generate and endpoints are at risk when interacting with a shared engine worker.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity dependence on remote user interaction. The EPSS score is not available, but the vulnerability can be triggered via the publicly exposed gRPC endpoints, so the attack vector is remote. The KEV catalog does not list this issue, but the combination of a high CVSS score and the ability to crash the service already renders it a serious threat. An attacker only needs to send a carefully crafted series of generation requests; no additional privileges are required.

Generated by OpenCVE AI on July 7, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.24.0 or later, where the fix removes the out‑of‑bounds token handling.
  • While upgrading, restrict access to the public gRPC Generate and Abort endpoints; limit connections to trusted clients or implement authentication to prevent arbitrary clients from triggering the crash.
  • Implement a monitoring and auto‑restart mechanism for the engine worker to quickly recover from unexpected crashes and reduce downtime.

Generated by OpenCVE AI on July 7, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Description vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.
Title vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection
Weaknesses CWE-1284
CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-06T19:49:20.481Z

Reserved: 2026-06-12T16:25:43.084Z

Link: CVE-2026-54234

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:30:04Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input

  • CWE-20

    Improper Input Validation