SecBoard
Zurück zur CVE-Übersicht

CVE-2026-41523

HIGH(7.5)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Signal Score19/100 — NIEDRIG
  • CVSS 7.5 — Hoch

EPSS-Score

0%

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

7.5

Technische Schwere

Beschreibung

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.

GitHub Advisories

GHSA-q8gq-377p-jq3rHIGH

vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution

pip/vllm0.22.0
GitHub Advisory

Referenzen