vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.
Metrics
Affected Vendors & Products
References
History
Mon, 06 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Vllm-project
Vllm-project vllm |
|
| Vendors & Products |
Vllm-project
Vllm-project vllm |
Mon, 06 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0. | |
| Title | vLLM denial of service via prompt embeds on M-RoPE models | |
| Weaknesses | CWE-617 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-06T20:46:52.405Z
Reserved: 2026-06-16T22:44:22.284Z
Link: CVE-2026-55514
Updated: 2026-07-06T20:46:47.411Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-06T22:00:14Z