CVE-2026-55514 in vLLM
Summary
by MITRE • 07/06/2026
vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability resides within the vLLM library's handling of specific payload structures during inference operations, particularly affecting versions between 0.12.0 and 0.23.9. This flaw manifests when a malicious user submits a /v1/completions request containing a prompt embeds payload that utilizes M-RoPE (Multi-Resolution Rotary Positional Embedding) functionality. The EngineCore component fails to properly validate or handle this specific combination of parameters, leading to an assertion failure that terminates the entire server application. This represents a critical denial-of-service vulnerability that can be exploited by any authenticated user with permission to submit completion requests, making it particularly dangerous in production environments where such access might be granted to external parties.
The technical root cause stems from inadequate input validation within the EngineCore module responsible for processing LLM inference requests. When M-RoPE is applied to a prompt embeds payload in the specific manner described, the internal state management fails to maintain consistency, triggering an assertion that cannot be recovered from gracefully. This assertion failure propagates up through the application stack and results in a fatal crash of the entire server process rather than a graceful error handling mechanism. The vulnerability aligns with CWE-248, which addresses "Uncaught Exception" scenarios where an exception is not properly handled, leading to program termination. From an operational perspective, this vulnerability creates a significant risk for any deployment that allows external access to completion endpoints.
The impact of this vulnerability extends beyond simple service disruption as it can be exploited remotely by unauthorized parties who have authentication credentials to make completion requests. The crash affects the entire server application rather than individual request processing, meaning that legitimate users may experience complete service outages until manual intervention occurs. This makes the vulnerability particularly attractive to attackers seeking to disrupt services or perform reconnaissance activities. The fix implemented in version 0.24.0 addresses this by adding proper input validation and error handling for M-RoPE configurations within prompt embeds payloads, preventing the assertion failure from occurring. Organizations should prioritize immediate upgrade to version 0.24.0 or later to mitigate this risk, as no effective workarounds exist without modifying the core library behavior.
From an ATT&CK framework perspective, this vulnerability maps to T1499.004 which covers "Utilities: System Shutdown/Reboot" and represents a service disruption attack vector. The exploitation requires minimal technical skill beyond having valid authentication credentials for the completion endpoint, making it accessible to attackers with basic authorization levels. Network defenders should monitor for unusual patterns of completion requests that might indicate exploitation attempts, particularly those involving M-RoPE configurations or unusual embedding structures. The vulnerability also highlights the importance of proper input validation in AI inference libraries and demonstrates how specific combinations of features can create unexpected failure modes in complex machine learning systems.