CVE Vulnerabilities

CVE-2026-54233

Improper Handling of Highly Compressed Data (Data Amplification)

Published: Jun 22, 2026 | Modified: Jun 24, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
root.io logo minimus.io logo echo.ai logo

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLMs /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode time. This vulnerability is fixed in 0.23.1rc0.

Weakness

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Affected Software

NameVendorStart VersionEnd Version
VllmVllm*0.23.1 (excluding)

References