CVE-2026-54234 in vLLMinfo

Summary

by MITRE • 07/07/2026

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability affects vLLM versions prior to 0240 where a specific pattern of multi-request speculative decoding can trigger a critical failure in the engine's token handling mechanism. The flaw occurs during the rejection sampling process where a recovered token value exceeds the model vocabulary size boundary and gets converted to negative one, creating an invalid input that propagates through the system. The technical implementation involves the interaction between the drafter and rejector components in speculative decoding, where the out-of-vocabulary token value of -1 is written back into the drafter's input ids, eventually reaching the model's embedding and attention layers. This represents a classic buffer overflow condition in the token processing pipeline that leads to GPU assertion failures.

The operational impact of this vulnerability extends beyond simple crashes to encompass complete service disruption for all clients connected to the affected engine worker. Remote attackers capable of sending generation requests through the public gRPC Generate and Abort endpoints can systematically crash the engine worker, causing cascading failures that abort concurrent requests and result in widespread denial of service across the entire deployment. The vulnerability manifests as a device-side assertion failure on the GPU, indicating that the invalid token value is being processed in hardware rather than being caught at software level validation. This type of failure falls under CWE-129 Input Validation and CWE-787 Out-of-bounds Write, with the denial of service aspect mapping to ATT&CK technique T1499.004 Network Denial of Service.

The root cause lies in insufficient boundary checking during the speculative decoding process where token values are not properly validated against vocabulary size constraints before being written back into the input pipeline. The system fails to account for edge cases where rejection sampling might produce values that exceed the expected range, particularly when dealing with multiple concurrent requests. The fix implemented in version 0.24.0 addresses this by adding proper boundary validation checks that prevent out-of-vocabulary token values from propagating through the system and reaching the GPU processing layers. This mitigation strategy aligns with defensive programming practices and follows industry standards for preventing buffer overflows and invalid memory access patterns in machine learning inference engines, ensuring that all token values remain within valid vocabulary ranges throughout the speculative decoding workflow.

Responsible

GitHub M

Reservation

06/12/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!