CVE-2026-55514
Received Received - Intake

Memory Corruption in vLLM LLM Inference Library

Vulnerability report for CVE-2026-55514, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the vLLM library versions from 0.12.0 to before 0.24.0. When a remote user who is authorized to make a /v1/completions request sends a pure prompt with a model using M-RoPE, it causes the EngineCore component to fail an assertion and crash fatally. This crash shuts down the entire server application.

Impact Analysis

This vulnerability can cause the entire server application running the vLLM library to crash and shut down unexpectedly. Any authorized remote user can trigger this crash by sending a specially crafted request, potentially leading to denial of service and disruption of services relying on the server.

Mitigation Strategies

To mitigate this vulnerability, upgrade the vLLM library to version 0.24.0 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart