Bug 2491578 (CVE-2026-54233)
| Summary: | CVE-2026-54233 vllm: vLLM: Denial of Service via excessive memory allocation in audio transcription | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alinfoot, bbrownin, dtrifiro, jkoehler, lphiri, rbryant, weaton |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker could exploit a vulnerability in the `/v1/audio/transcriptions` endpoint. By uploading a specially crafted compressed audio file, such as an OPUS file, the attacker could cause the system to allocate an excessive amount of memory during the decoding process. This uncontrolled memory allocation can lead to a Denial of Service (DoS) condition, making the service unavailable to legitimate users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-06-22 23:01:11 UTC
|