Description

vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.

INFO

Published Date :

2026-04-06T15:40:03.448Z

Last Modified :

2026-04-07T14:17:12.597Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34756 vulnerability.

Vendors Products
Vllm-project
  • Vllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34756.

URL Resource
https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7380 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/pull/37952 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-34756 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-34756 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact