{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vllm--0.17.1--0.24.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-54234"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["vLLM (\u003e= 0.17.1, \u003c 0.24.0)"],"_cs_severities":["low"],"_cs_tags":["denial-of-service","vulnerability","LLM","AI","python","server-side"],"_cs_type":"advisory","_cs_vendors":["vLLM"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-54234, affects vLLM versions 0.17.1 up to (but not including) 0.24.0. This flaw allows a remote client to trigger a denial of service (DoS) in the vLLM engine. The attack is initiated by sending a specific, frontend-legal multi-request speculative workload that causes the engine to generate an out-of-vocabulary token. This invalid token is then incorrectly processed and reinjected into the model's input IDs, leading to a GPU \u003ccode\u003edevice-side assert\u003c/code\u003e and a subsequent crash of the vLLM worker. The issue is reproducible and can be triggered via the public gRPC request surface using an overlapping \u003ccode\u003eGenerate\u003c/code\u003e / \u003ccode\u003eAbort\u003c/code\u003e sequence. In shared deployment environments, this vulnerability enables a service-wide DoS, impacting all clients and preventing further requests until the engine is manually restarted. The vulnerability has been confirmed on vLLM version 0.17.1, specifically when using models like \u003ccode\u003eQwen/Qwen3-0.6B-GPTQ-Int8\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker initiates a frontend-legal multi-request speculative workload on a vulnerable vLLM engine, maintaining structured-output state, speculative decoding, overlap, and request cancellation.\u003c/li\u003e\n\u003cli\u003eDuring the rejection sampling phase of speculative decoding, vLLM produces a recovered token that is equal to the model's \u003ccode\u003evocab_size\u003c/code\u003e boundary value (e.g., 151936 for Qwen3).\u003c/li\u003e\n\u003cli\u003eThis out-of-vocabulary token appears at position 0 of the sampled speculative row for a live request, with other positions potentially filled with padding.\u003c/li\u003e\n\u003cli\u003eIn the next-token preparation step, vLLM erroneously treats this out-of-vocabulary token as a real next token for the request and converts its value to \u003ccode\u003e-1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe drafter component then writes this converted \u003ccode\u003e-1\u003c/code\u003e back into the live next-step input-id row for the processing request.\u003c/li\u003e\n\u003cli\u003eThe drafting, embedding, or attention path within the GPU worker attempts to consume this invalid \u003ccode\u003e-1\u003c/code\u003e token, leading to a \u003ccode\u003eCUDA error: device-side assert triggered\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GPU worker crashes, causing the entire vLLM engine to fail and become unresponsive to further requests, resulting in a service-wide denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-54234 allows any remote client capable of sending gRPC generation requests to crash the shared vLLM engine worker. This not only aborts all concurrent requests but also prevents any subsequent requests from completing until the worker is manually restarted. In deployments where vLLM is shared across multiple clients, this vulnerability can lead to a service-wide denial of service, affecting all users and applications relying on the vLLM instance. The issue is reliably reproducible, meaning attackers can sustain an outage through repeated requests.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade vLLM instances immediately to a version greater than or equal to 0.24.0 to remediate CVE-2026-54234, as described in the vLLM pull request linked in the references.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect vLLM Engine DoS via Invalid Token Reinjection (CVE-2026-54234)\u0026quot; to your SIEM solution to detect server-side crash indicators.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003elogfile\u003c/code\u003e sources on vLLM host systems for \u0026quot;CUDA error: device-side assert triggered\u0026quot; and \u0026quot;EngineCore encountered an issue\u0026quot; messages, as these are indicators of CVE-2026-54234 exploitation or other critical engine failures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T17:08:53Z","date_published":"2026-07-17T17:08:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-vllm-dos/","summary":"A frontend-legal multi-request speculative workload can cause vLLM to produce an out-of-vocabulary recovered token, which is then converted to an invalid value (-1) and reinjected into the drafting input IDs, leading to a GPU device-side assert and crashing the vLLM engine, causing a service-wide denial of service through a specific gRPC request sequence.","title":"vLLM Remote Denial of Service via Invalid Token Reinjection","url":"https://feed.craftedsignal.io/briefs/2026-07-vllm-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - VLLM (\u003e= 0.17.1, \u003c 0.24.0)","version":"https://jsonfeed.org/version/1.1"}