Input validation error in vLLM - CVE-2026-54234
Published: July 2, 2026
vLLM
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the speculative decoding path when handling overlapping public gRPC Generate and Abort requests. A remote attacker can send a specific overlapping request sequence to cause a denial of service.
In shared deployments, exploitation can crash the engine worker, abort concurrent requests, and prevent later requests from completing until the worker is restarted. The issue was reproduced on Qwen3 GPTQ.