Impact
The vulnerability arises when a speculative decoding workload causes the rejection sampler to produce a recovered token equal to the model vocabulary size boundary. This token is converted to negative one and passed into the engine’s drafter input ids, leading to an out‑of‑vocabulary value that is later used by the model’s embedding and attention layers. The engine worker eventually crashes due to a GPU device‑side assertion. The result is a process crash that terminates the shared engine worker, aborting any concurrent requests and causing a service‑wide denial of service for all clients until the worker is restarted. The weakness is an out‑of‑bounds input resulting in an assertion failure (CWE‑20) and a related memory‑access issue (CWE‑1284).
Affected Systems
vllm-project vllm, all releases prior to 0.24.0. The vulnerability is present in every version of vLLM that predates the 0.24.0 release, which was released to correct this flaw. Clients using the public gRPC Generate and endpoints are at risk when interacting with a shared engine worker.
Risk and Exploitability
The CVSS score is 7.5, indicating a high severity dependence on remote user interaction. The EPSS score is not available, but the vulnerability can be triggered via the publicly exposed gRPC endpoints, so the attack vector is remote. The KEV catalog does not list this issue, but the combination of a high CVSS score and the ability to crash the service already renders it a serious threat. An attacker only needs to send a carefully crafted series of generation requests; no additional privileges are required.
OpenCVE Enrichment