2455425 – (CVE-2026-34756) CVE-2026-34756 vllm: vLLM: Denial of Service via excessively large 'n' parameter in OpenAI-compatible API

Bug 2455425 (CVE-2026-34756) - CVE-2026-34756 vllm: vLLM: Denial of Service via excessively large 'n' parameter in OpenAI-compatible API

Summary: CVE-2026-34756 vllm: vLLM: Denial of Service via excessively large 'n' parame...

Keywords:
Status:	NEW
Alias:	CVE-2026-34756
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 16:04 UTC by OSIDB Bzimport
Modified:	2026-04-06 20:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 16:04:08 UTC

vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.

Note You need to log in before you can comment on or make changes to this bug.