vLLM Vulnerabilities

pip LLM Inference

AI Threat Alert tracks 75 known vulnerabilities in vLLM, 11 rated critical — an AI/ML llm inference in the pip ecosystem. Each CVE includes CVSS severity, EPSS exploit probability, patch status, and CISO-grade analysis.

Data sources
61
Risk Score
75
Total CVEs
11
Critical
pip
Ecosystem
Jun 22, 2026
Last CVE
23%
Patch Rate
51d
Avg Time to Patch
84,601 stars 18,589 forks 5,482 issues 130 dependents Last push Jun 28, 2026
View on GitHub

Known Vulnerabilities (75 total, page 1 of 3)

Severity CVE ID Summary CVSS Published
HIGH CVE-2026-56209 An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames 7.1 Jun 19, 2026 HIGH CVE-2026-56211 A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control f 7.1 Jun 19, 2026 HIGH CVE-2026-56210 A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclos 7.1 Jun 19, 2026 HIGH CVE-2026-56208 A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could e 7.6 Jun 19, 2026 MEDIUM CVE-2026-4878 A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation. 6.7 Apr 9, 2026 HIGH CVE-2026-4775 A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution. 7.8 Mar 24, 2026 HIGH CVE-2026-10118 A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF. 7.8 Jun 1, 2026 HIGH CVE-2025-5318 A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior. 8.1 Jun 24, 2025 HIGH CVE-2025-9900 A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the 8.8 Sep 23, 2025 HIGH CVE-2026-54232 vLLM: dependency confusion RCE backdoors container images 8.8 Jun 22, 2026 HIGH CVE-2026-56340 vLLM: sparse tensor DoS/memory corruption via embeddings 7.5 Jun 20, 2026 HIGH CVE-2025-71379 vLLM: ReDoS via crafted API input causes DoS 7.5 Jun 20, 2026 MEDIUM CVE-2026-12706 FFmpeg RASC: UAF in decoder crashes AI inference containers 6.5 Jun 19, 2026 UNKNOWN CVE-2026-54235 vLLM: NaN/Inf bypass crashes GPU inference workers -- Jun 17, 2026 MEDIUM GHSA-8jr5-v98p-w75m vllm: EXIF/tRNS preprocessing gap enables adversarial input 4.8 Jun 17, 2026 UNKNOWN CVE-2026-53923 vLLM: integer truncation leaks GPU memory cross-tenant -- Jun 17, 2026 MEDIUM CVE-2026-54236 vLLM: heap address leak enables ASLR bypass 5.3 Jun 17, 2026 MEDIUM CVE-2026-54233 vLLM: decompression bomb OOM via audio endpoint 6.5 Jun 17, 2026 MEDIUM CVE-2026-12491 vLLM: image metadata mishandling corrupts multimodal inputs 4.8 Jun 17, 2026 HIGH CVE-2026-41523 vLLM: assert bypass → RCE via poisoned HuggingFace model 7.5 Jun 16, 2026 CRITICAL CVE-2026-48746 vllm: auth bypass exposes OpenAI inference API 9.1 Jun 16, 2026 HIGH CVE-2026-5201 gdk-pixbuf: JPEG heap overflow crashes vLLM inference 7.5 Mar 31, 2026 HIGH CVE-2026-4111 libarchive: infinite loop DoS in RAR5 decompression 7.5 Mar 13, 2026 MEDIUM CVE-2025-14831 GnuTLS: TLS cert parsing DoS hits vllm inference 5.3 Feb 9, 2026 HIGH CVE-2023-52356 libtiff: heap overflow DoS in vLLM inference via TIFF input 7.5 Jan 25, 2024

Showing 1–25 of 75

Frequently asked questions

What is vLLM?

vLLM is an AI/ML llm inference tracked by AI Threat Alert for security vulnerabilities in the pip ecosystem.

How many known vulnerabilities does vLLM have?

vLLM has 75 known CVEs, 11 of them critical, tracked from NVD and GitHub Advisory.

Which ecosystem is vLLM distributed in?

vLLM is distributed via the pip ecosystem and categorized as llm inference.

Where does the vLLM vulnerability data come from?

Vulnerability data is sourced from NVD and GitHub Advisory, enriched with CVSS, EPSS, exploit signals, and patch status for each CVE.

How do I assess the risk of vLLM?

Review each CVE below — every entry shows CVSS severity, EPSS exploit probability, exploitation signals, and whether a patched version is available.

Monitor vLLM in your stack

Get instant alerts when new vulnerabilities affect vLLM. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring