CVE-2026-44223
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
vLLM is an inference and serving engine for large language models. From versions 0.18.0 to before 0.20.0, the extract_hidden_states function in vLLM returns a tensor with an incorrect shape after the first decode step, leading to a RuntimeError and crashing the EngineCore process.
Risk Assessment
Server crashes can lead to service downtime related to language models, affecting the organization's operational continuity. A single request with a penalty parameter is sufficient to trigger a crash.
Recommendation
It is recommended to update vLLM to version 0.20.0 to mitigate this vulnerability. Additionally, monitor the use of penalty parameters in requests.
Original NVD description (English source)
vLLM is an inference and serving engine for large language models (LLMs). From 0.18.0 to before 0.20.0, the extract_hidden_states speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (repetition_penalty, frequency_penalty, or presence_penalty). A single request with a penalty parameter (e.g., "repetition_penalty": 1.1) is sufficient to crash the server. This vulnerability is fixed in 0.20.0.

