What happened
vLLM's rejection sampler for speculative decoding did not bound-check a boundary token-index value before conversion, so a legally-formed multi-request workload could trigger a crash of the entire serving process.
Why it matters
Speculative decoding is a widely-used performance feature in production LLM serving; a crash-inducing input from ordinary API usage (not requiring exploit crafting beyond normal request shapes) can take down shared inference infrastructure serving multiple downstream applications.
Attack vector
A frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value; when this out-of-range value is converted downstream it crashes the serving process, allowing a remote authenticated-or-unauthenticated user (depending on deployment) to deny service.
Affected systems
vLLM inference/serving engine, versions prior to 0.24.0
Mitigation
Upgrade to vLLM >= 0.24.0.