<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3avllmvllm/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 17:08:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3avllmvllm/feed.xml" rel="self" type="application/rss+xml"/><item><title>vLLM Remote Denial of Service via Invalid Token Reinjection</title><link>https://feed.craftedsignal.io/briefs/2026-07-vllm-dos/</link><pubDate>Fri, 17 Jul 2026 17:08:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-vllm-dos/</guid><description>A frontend-legal multi-request speculative workload can cause vLLM to produce an out-of-vocabulary recovered token, which is then converted to an invalid value (-1) and reinjected into the drafting input IDs, leading to a GPU device-side assert and crashing the vLLM engine, causing a service-wide denial of service through a specific gRPC request sequence.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-54234, affects vLLM versions 0.17.1 up to (but not including) 0.24.0. This flaw allows a remote client to trigger a denial of service (DoS) in the vLLM engine. The attack is initiated by sending a specific, frontend-legal multi-request speculative workload that causes the engine to generate an out-of-vocabulary token. This invalid token is then incorrectly processed and reinjected into the model's input IDs, leading to a GPU <code>device-side assert</code> and a subsequent crash of the vLLM worker. The issue is reproducible and can be triggered via the public gRPC request surface using an overlapping <code>Generate</code> / <code>Abort</code> sequence. In shared deployment environments, this vulnerability enables a service-wide DoS, impacting all clients and preventing further requests until the engine is manually restarted. The vulnerability has been confirmed on vLLM version 0.17.1, specifically when using models like <code>Qwen/Qwen3-0.6B-GPTQ-Int8</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker initiates a frontend-legal multi-request speculative workload on a vulnerable vLLM engine, maintaining structured-output state, speculative decoding, overlap, and request cancellation.</li>
<li>During the rejection sampling phase of speculative decoding, vLLM produces a recovered token that is equal to the model's <code>vocab_size</code> boundary value (e.g., 151936 for Qwen3).</li>
<li>This out-of-vocabulary token appears at position 0 of the sampled speculative row for a live request, with other positions potentially filled with padding.</li>
<li>In the next-token preparation step, vLLM erroneously treats this out-of-vocabulary token as a real next token for the request and converts its value to <code>-1</code>.</li>
<li>The drafter component then writes this converted <code>-1</code> back into the live next-step input-id row for the processing request.</li>
<li>The drafting, embedding, or attention path within the GPU worker attempts to consume this invalid <code>-1</code> token, leading to a <code>CUDA error: device-side assert triggered</code>.</li>
<li>The GPU worker crashes, causing the entire vLLM engine to fail and become unresponsive to further requests, resulting in a service-wide denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-54234 allows any remote client capable of sending gRPC generation requests to crash the shared vLLM engine worker. This not only aborts all concurrent requests but also prevents any subsequent requests from completing until the worker is manually restarted. In deployments where vLLM is shared across multiple clients, this vulnerability can lead to a service-wide denial of service, affecting all users and applications relying on the vLLM instance. The issue is reliably reproducible, meaning attackers can sustain an outage through repeated requests.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade vLLM instances immediately to a version greater than or equal to 0.24.0 to remediate CVE-2026-54234, as described in the vLLM pull request linked in the references.</li>
<li>Deploy the Sigma rule &quot;Detect vLLM Engine DoS via Invalid Token Reinjection (CVE-2026-54234)&quot; to your SIEM solution to detect server-side crash indicators.</li>
<li>Monitor <code>logfile</code> sources on vLLM host systems for &quot;CUDA error: device-side assert triggered&quot; and &quot;EngineCore encountered an issue&quot; messages, as these are indicators of CVE-2026-54234 exploitation or other critical engine failures.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>LLM</category><category>AI</category><category>python</category><category>server-side</category></item></channel></rss>