CVE-2026-5497

NONE EPSS 34.0%
Published Jun 11, 20262w ago · Modified Jun 17, 20261w ago
Find Similar
Published Jun 11, 2026 2w ago
Last Modified Jun 17, 2026 1w ago

Description

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to extract individual JPEG frames without enforcing a frame count limit. An attacker can exploit this by crafting a single API request containing thousands of comma-separated base64-encoded JPEG frames in a data URL, causing the server to decode all frames into memory and crash due to excessive memory consumption. This vulnerability is reachable via the OpenAI-compatible chat completions API and does not require authentication.

Threat Intelligence

EPSS Exploit Probability
34.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 1

VendorProductVersionRange
vllmvllm*≥0.8.0  –  <0.19.0

References 2

  • github.com https://github.com/vllm-project/vllm/commit/58ee61422169ce17e08248f8efa1e9df434fe395
    Patch
  • huntr.com https://huntr.com/bounties/7bd92629-b396-4449-8f88-6c0092530eb4
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/vllm-project/vllm/commit/58ee61422169ce17e08248f8efa1e9df434fe395
    Patch