← Back

CVE-2026-41523

nvd nist
Published: Jun 22, 2026Modified: Jul 15, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.6 / Impact: 5.9
Source: security-advisories@github.com (Secondary)

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.

Affected (1)

Products: Vllm: Vllm
1 product
Vllm
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Before 0.22.0

References (8)

Source: security-advisories@github.com
ExploitThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

Timeline

No history available yet.