Improper handling of highly compressed data in vLLM - CVE-2026-54233

 

Improper handling of highly compressed data in vLLM - CVE-2026-54233

Published: July 2, 2026


Vulnerability identifier: #VU136795
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54233
CWE-ID: CWE-409
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: vLLM
Affected software:
vLLM

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in the /v1/audio/transcriptions endpoint when processing compressed audio uploads. A remote user can send a specially crafted audio file to cause a denial of service.

The issue arises because the endpoint limits compressed upload size but not decoded PCM output, allowing excessive memory consumption during audio decoding and concatenation.


How to mitigate CVE-2026-54233

Install security update from vendor's website.

Sources