CVE-2026-54233
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
vLLM is an inference and serving engine for large language models. Prior to version 0.23.1rc0, the /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output, which could lead to excessive resource consumption.
Risk Assessment
Organizations may experience performance issues or system crashes due to excessive load from large PCM files. This could lead to service availability interruptions.
Recommendation
It is recommended to upgrade to version 0.23.1rc0 or later to mitigate this vulnerability.
Original NVD description (English source)
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.

