CVE-2026-54233

Source
https://cve.org/CVERecord?id=CVE-2026-54233
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54233.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54233
Aliases
Downstream
Related
Published
2026-06-22T22:10:45.689Z
Modified
2026-07-08T08:12:41.227494420Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
vLLM: OOM Denial of Service via Audio Decompression Bomb
Details

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54233.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-409"
    ]
}
References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type
GIT
Repo
https://github.com/vllm-project/vllm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.23.1rc0"
        }
    ]
}

Affected versions

Other
submission
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.10.0
v0.10.0rc1
v0.10.0rc2
v0.10.1rc1
v0.10.2rc1
v0.10.2rc2
v0.11.0rc1
v0.11.1
v0.11.1rc0
v0.11.1rc1
v0.11.1rc2
v0.11.1rc3
v0.11.1rc4
v0.11.1rc5
v0.11.1rc6
v0.13.0rc1
v0.14.0rc0
v0.14.0rc1
v0.15.0rc1
v0.15.2rc0
v0.16.0rc0
v0.16.0rc1
v0.17.0rc0
v0.17.1rc0
v0.17.2rc0
v0.18.0rc0
v0.18.1rc0
v0.18.2rc0
v0.19.1rc0
v0.19.2rc0
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.20.1rc0
v0.20.2rc0
v0.21.1rc0
v0.22.1rc0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0.post1
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0.post1
v0.5.1
v0.5.2
v0.5.3
v0.5.3.post1
v0.5.4
v0.5.5
v0.6.0
v0.6.1
v0.6.1.post1
v0.6.1.post2
v0.6.2
v0.6.3
v0.6.3.post1
v0.6.4
v0.6.4.post1
v0.6.5
v0.6.6
v0.6.6.post1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0rc1
v0.8.0rc2
v0.8.1
v0.8.2
v0.8.3rc1
v0.8.4
v0.9.0
v0.9.1
v0.9.1rc1
v0.9.1rc2
v0.9.2rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54233.json"