Inefficient regular expression complexity in vLLM - CVE-2026-55574
Published: July 2, 2026
vLLM
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in the structured_outputs.regex API in the xgrammar and outlines backends when compiling a user-supplied regex string. A remote attacker can send a specially crafted regex pattern to cause a denial of service.
A single crafted request can hang an inference worker indefinitely.