Vulnerability Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vllm | Vllm | >= 0.1.0, < 0.19.0 |
Related Weaknesses (CWE)
References
- https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548dePatch
- https://github.com/vllm-project/vllm/pull/37952Issue TrackingPatch
- https://github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528PatchVendor Advisory
FAQ
What is CVE-2026-34756?
CVE-2026-34756 is a vulnerability with a CVSS score of 6.5 (MEDIUM). vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lac...
How severe is CVE-2026-34756?
CVE-2026-34756 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34756?
Check the references section above for vendor advisories and patch information. Affected products include: Vllm Vllm.