CVE-2026-44223— vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters
Possible ATT&CK Techniques 2AI
T1499 · Endpoint Denial of Service T1499.002 · Service Exhaustion FloodAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vllm-project | vllm | >= 0.18.0, < 0.20.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44223
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters
Source: NVD (National Vulnerability Database)
Vulnerability Description
vLLM is an inference and serving engine for large language models (LLMs). From to before 0.20.0, the extract_hidden_states speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (repetition_penalty, frequency_penalty, or presence_penalty). A single request with a penalty parameter (e.g., "repetition_penalty": 1.1) is sufficient to crash the server. This vulnerability is fixed in 0.20.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
缓冲区大小计算不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
vLLM 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
vLLM是vLLM开源的一个适用于 LLM 的高吞吐量和内存高效推理和服务引擎。 vLLM 0.20.0之前版本存在安全漏洞,该漏洞源于extract_hidden_states推测解码提议器在第一次解码步骤后返回形状不正确的张量,导致RuntimeError崩溃EngineCore进程,当任何请求使用采样惩罚参数时触发。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| vllm-project | vllm | >= 0.18.0, < 0.20.0 | - |
II. Public POCs for CVE-2026-44223
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44223
请登录查看更多情报信息。
- https://github.com/vllm-project/vllm/pull/38610x_refsource_MISC
- https://github.com/vllm-project/vllm/security/advisories/GHSA-83vm-p52w-f9pwx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44223
IV. Related Vulnerabilities
Same product: vllm
- CVE-2026-44222
vLLM: Remote DoS via Special-Token Placeholders - CVE-2026-7141
vllm KV Block kv_cache_interface.py has_mamba_layers uniniti - CVE-2026-34756
vLLM Affected by Unauthenticated OOM Denial of Service via U - CVE-2026-34755
vLLM Affected by Denial of Service via Unbounded Frame Count - CVE-2026-34753
vLLM affected by Server-Side Request Forgery (SSRF) in `down
Same vendor: vllm-project
- CVE-2026-44222
vLLM: Remote DoS via Special-Token Placeholders - CVE-2026-34756
vLLM Affected by Unauthenticated OOM Denial of Service via U - CVE-2026-34755
vLLM Affected by Denial of Service via Unbounded Frame Count - CVE-2026-34753
vLLM affected by Server-Side Request Forgery (SSRF) in `down - CVE-2026-34760
vLLM: Downmix Implementation Differences as Attack Vectors A
Same weakness: CWE-131
V. Comments for CVE-2026-44223
No comments yet