SB2026010936 - Multiple vulnerabilities in vLLM

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026010936

SB2026010936 - Multiple vulnerabilities in vLLM

Published: January 9, 2026

Security Bulletin ID SB2026010936
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 25% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-46560)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists in the input preprocessing logic of the multimodal tokenizer. A remote user can pass specially crafted data to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Deserialization of untrusted data (CVE-ID: CVE-2025-32444)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in Mooncake integration. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Note, only systems with Mooncake integration are affected. 


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-30202)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing connection requests. A remote attacker can establish multiple connections to the XPUB socket without reading any data and perform a denial of service attack. 


4) Deserialization of untrusted data (CVE-ID: CVE-2025-47277)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the PyNcclPipe service. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Note, this vulnerability affects only environments using the PyNcclPipe KV cache transfer integration with the V0 engine.


Remediation

Install update from vendor's website.

References