CVE-2026-10775 in SGLang
Summary
by MITRE • 06/04/2026
A vulnerability was determined in sgl-project SGLang up to 0.5.11. Affected by this vulnerability is the function data_hash of the component Cache Handler. This manipulation causes denial of service. The attack is restricted to local execution. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
The vulnerability in sgl-project SGLang version 0.5.11 and earlier affects the Cache Handler component through its data_hash function, representing a significant security concern that could compromise system availability. This issue falls under the category of denial of service vulnerabilities where the attacker can disrupt normal operations by manipulating the hash calculation mechanism. The vulnerability's impact is particularly concerning as it affects the core caching functionality that likely serves as a performance optimization layer within the application's architecture.
The technical flaw resides in the data_hash function implementation within the Cache Handler module, where improper handling of input data or hash calculation logic creates a potential attack vector. According to CWE classification systems, this vulnerability likely maps to CWE-400 or CWE-665, representing improper handling of exceptional conditions or insufficient input validation that could lead to resource exhaustion or system instability. The attack requires local execution privileges, indicating that the vulnerability does not expose the system to remote exploitation, but rather represents an internal threat vector where compromised local access could be leveraged.
The operational impact of this vulnerability extends beyond simple service disruption, as it affects the fundamental caching mechanisms that applications depend upon for performance optimization and data retrieval. When exploited, the vulnerability can cause the application to become unresponsive or crash, effectively denying legitimate users access to cached resources and potentially cascading into broader system performance degradation. This type of vulnerability aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, though the local execution requirement modifies the attack surface classification.
The complexity required for exploitation and the publicly disclosed nature of the vulnerability present a significant risk to systems running affected versions. While the attack requires local execution privileges, the difficulty of exploitation does not eliminate the threat entirely, as local privilege escalation or other attack vectors could potentially lead to this condition. The fact that a pull request exists to address the issue indicates that the maintainers have identified and developed a solution, but the delay in acceptance creates a window of vulnerability. Organizations should implement immediate mitigations including patching to the latest version, restricting local execution privileges where possible, and monitoring for unauthorized local access attempts. The vulnerability demonstrates the importance of thorough input validation and proper error handling in caching systems, as these components are often overlooked during security assessments but represent critical attack surfaces in application architecture.