CVE-2026-54233 - vLLM: OOM Denial of Service via Audio Decompression Bomb
CVE ID :CVE-2026-54233
Published : June 22, 2026, 10:10 p.m. | 3 hours, 30 minutes ago
Description :vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : June 22, 2026, 10:10 p.m. | 3 hours, 30 minutes ago
Description :vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...