CVE-2026-34760

HIGH EPSS 18.2%
Published Apr 2, 20262mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Apr 2, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability Low

Threat Intelligence

EPSS Exploit Probability
18.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 1

VendorProductVersionRange
vllmvllm*≥0.5.5  –  <0.18.0

References 4

  • github.com https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4
    Patch
  • github.com https://github.com/vllm-project/vllm/pull/37058
    Issue Tracking
  • github.com https://github.com/vllm-project/vllm/releases/tag/v0.18.0
    Release Notes
  • github.com https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8
    Vendor Advisory

Remediation

  • github.com https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4
    Patch