Vulnerability  ·  2026-07-07

vLLM — Speculative Decoding Rejection-Sampler Boundary Crash

VulnerabilityHigh impactGlobalCVE-2026-54234
vLLM's rejection sampler for speculative decoding did not bound-check a boundary token-index value before conversion, so a legally-formed multi-request workload could trigger a crash of the entire serving process.
Speculative decoding is a widely-used performance feature in production LLM serving; a crash-inducing input from ordinary API usage (not requiring exploit crafting beyond normal request shapes) can take down shared inference infrastructure serving multiple downstream applications.
A frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value; when this out-of-range value is converted downstream it crashes the serving process, allowing a remote authenticated-or-unauthenticated user (depending on deployment) to deny service.
vLLM inference/serving engine, versions prior to 0.24.0
Upgrade to vLLM >= 0.24.0.
NVD CVE-2026-54234vLLM fix commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →