vLLM Patches Two New DoS CVEs in v0.24.0 — Audio Memory Exhaustion and Regex ReDoS

AI relevance: vLLM is one of the most widely deployed LLM inference engines — these CVEs let unauthenticated attackers crash or hang serving instances, directly impacting availability of any production AI workload running affected versions.

What was found

  • CVE-2026-55646 (CVSS 6.5): The /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before checking the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB limit (default 25 MB).
  • An API caller can submit an oversized multipart upload and force vLLM to allocate memory proportional to the full file size before the request is rejected.
  • Depending on deployment resource limits, this causes memory pressure or outright process termination — a textbook uncontrolled resource consumption bug (CWE-400, CWE-770).
  • Affects vLLM 0.22.0 through 0.23.0. Fixed in 0.24.0.

Regex ReDoS via structured outputs

  • CVE-2026-55574 (CVSS 7.5–8.7): The structured_outputs.regex API parameter passes user-supplied regex strings directly to grammar compiler backends with no compilation timeout or complexity analysis.
  • In the xgrammar backend, regex strings reach the compiler with zero guards. In outlines, structural issues like lookarounds are blocked but nested quantifiers pass validation and cause exponential state-space expansion.
  • A single request containing an adversarial regex pattern can hang an inference worker indefinitely — denying service to all concurrent users of that worker.
  • Also fixed in vLLM 0.24.0.

Why it matters

Both vulnerabilities are remotely exploitable without authentication. Any internet-facing vLLM instance running speech-to-text routes or exposing the structured outputs API is at risk. The regex CVE is particularly insidious because it targets the grammar compilation path — a component most operators wouldn't think to monitor for resource exhaustion. Combined, these bugs mean an attacker can take down inference workers through two completely independent vectors.

What to do

  • Upgrade vLLM to 0.24.0 or later immediately.
  • If you cannot upgrade, add a reverse-proxy limit on upload body size for audio endpoints (well below your memory ceiling).
  • For the regex CVE: implement input validation and complexity analysis on user-supplied regex patterns before they reach the grammar compiler, or add a compilation timeout as defense-in-depth.
  • Monitor vLLM worker memory usage and set OOM alerts — sudden spikes may indicate active exploitation attempts.

Sources