Vulnerability Details CVE-2026-55514
vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 24.9%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-55514
-
cpe:2.3:a:vllm:vllm:0.12.0
-
cpe:2.3:a:vllm:vllm:0.13.0
-
cpe:2.3:a:vllm:vllm:0.14.0
-
cpe:2.3:a:vllm:vllm:0.14.1
-
cpe:2.3:a:vllm:vllm:0.15.0
-
cpe:2.3:a:vllm:vllm:0.15.1
-
cpe:2.3:a:vllm:vllm:0.15.2
-
cpe:2.3:a:vllm:vllm:0.16.0
-
cpe:2.3:a:vllm:vllm:0.16.1
-
cpe:2.3:a:vllm:vllm:0.17.0
-
cpe:2.3:a:vllm:vllm:0.17.1
-
cpe:2.3:a:vllm:vllm:0.17.2
-
cpe:2.3:a:vllm:vllm:0.18.0
-
cpe:2.3:a:vllm:vllm:0.18.1
-
cpe:2.3:a:vllm:vllm:0.18.2
-
cpe:2.3:a:vllm:vllm:0.19.0
-
cpe:2.3:a:vllm:vllm:0.19.1
-
cpe:2.3:a:vllm:vllm:0.19.2
-
cpe:2.3:a:vllm:vllm:0.20.0
-
cpe:2.3:a:vllm:vllm:0.20.1
-
cpe:2.3:a:vllm:vllm:0.20.2
-
cpe:2.3:a:vllm:vllm:0.21.0
-
cpe:2.3:a:vllm:vllm:0.21.1
-
cpe:2.3:a:vllm:vllm:0.22.0
-
cpe:2.3:a:vllm:vllm:0.22.1
-
cpe:2.3:a:vllm:vllm:0.23.0
-
cpe:2.3:a:vllm:vllm:0.23.1