CVE-2026-54235 | vLLM is an inference and serving engine for large language m… | CVSS 6.9 MEDIUM

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that can crash the inference worker. This vulnerability is fixed in 0.23.1rc0.

Metadata

CVE ID: CVE-2026-54235
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 16:25 UTC
Published: 2026-06-22 21:59 UTC
Last updated: 2026-06-22 21:59 UTC
Primary CWE: CWE-1287
CWE-1287: Improper Validation of Specified Type of Input
Vendor / Product: vllm-project / vllm
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
vllm-project	vllm	—	< 0.23.1rc0

Weakness (CWE)

CWE	Source	Description
CWE-1287	cna	CWE-1287: Improper Validation of Specified Type of Input

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (3)

https://github.com/vllm-project/vllm/security/advisories/GHSA-7h4p-rffg-7823 https://github.com/vllm-project/vllm/security/advisories/GHSA-7h4p-rffg-7823
https://github.com/vllm-project/vllm/pull/45116 https://github.com/vllm-project/vllm/pull/45116
https://github.com/vllm-project/vllm/commit/d598d239737cfa37bcfcb98886ec3f3557fc7198 https://github.com/vllm-project/vllm/commit/d598d239737cfa37bcfcb98886ec3f3557fc7198