Improper handling of highly compressed data in vLLM - CVE-2026-54233
Published: July 2, 2026
vLLM
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in the /v1/audio/transcriptions endpoint when processing compressed audio uploads. A remote user can send a specially crafted audio file to cause a denial of service.
The issue arises because the endpoint limits compressed upload size but not decoded PCM output, allowing excessive memory consumption during audio decoding and concatenation.