CVE-2026-34756
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
A DoS vulnerability in vLLM from version 0.1.0 to before 0.19.0 allows an unauthenticated attacker to block the asyncio event loop and cause Out-Of-Memory crashes by sending a single HTTP request with an astronomically large n parameter in ChatCompletionRequest and CompletionRequest models.
Risk Assessment
The attack can completely disrupt the vLLM API server, causing denial of service for all users and potential financial losses due to downtime.
Recommendation
Upgrade vLLM to version 0.19.0 or later, which includes a fix that enforces an upper bound on the n parameter.
Original NVD description (English source)
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.

