CVE Catalog

CVE-2026-34756

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

A DoS vulnerability in vLLM from version 0.1.0 to before 0.19.0 allows an unauthenticated attacker to block the asyncio event loop and cause Out-Of-Memory crashes by sending a single HTTP request with an astronomically large n parameter in ChatCompletionRequest and CompletionRequest models.

Risk Assessment

The attack can completely disrupt the vLLM API server, causing denial of service for all users and potential financial losses due to downtime.

Recommendation

Upgrade vLLM to version 0.19.0 or later, which includes a fix that enforces an upper bound on the n parameter.

Original NVD description (English source)

vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS