CVE-2026-34756: vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.
Security readout for executives and security teams
Plain-English summary
CVE-2026-34756 can let a remote caller crash an affected vLLM OpenAI-compatible API server by sending a request with an extremely large completion count. The issue affects vLLM 0.1.0 through versions before 0.19.0 and is fixed in 0.19.0. The business impact is service outage, not data theft.
Executive priority
Handle as a near-term availability risk for AI services. It does not indicate confidentiality or integrity compromise, but exposed inference endpoints could be taken offline cheaply. Upgrade affected deployments during the next urgent maintenance window, sooner for internet-facing or multi-tenant systems.
Technical view
The affected ChatCompletionRequest and CompletionRequest models lacked an upper bound for the n parameter. Processing a very large value can block the Python asyncio event loop and exhaust heap memory before scheduling, causing an immediate denial of service. Sources list CWE-1284 and CWE-770, with CVSS 3.1 score 6.5 and availability impact high.
Likely exposure
Exposure is most relevant where vLLM’s OpenAI-compatible API server is reachable by untrusted users or services. Internal-only deployments still carry risk if tenants, workloads, or upstream applications can submit arbitrary completion requests.
Exploitation context
The bundle says a single HTTP request can trigger the condition, but KEV is false and the provided sources do not claim active exploitation. The CVSS vector lists PR:L while the description says unauthenticated; treat this as a source inconsistency until vendor records are reconciled.
Researcher notes
The root issue is unbounded input driving request object allocation before scheduling. The main evidence comes from the GitHub advisory, upstream fix references, CVE data, and Red Hat tracking. Avoid assuming exploit activity or affected downstream products beyond the listed sources.
Mitigation direction
Upgrade vLLM to version 0.19.0 or later.
Prioritize exposed OpenAI-compatible API servers using affected vLLM versions.
If using Red Hat packages, review RHSA-2026:36005 and RHSA-2026:36006 applicability.
If immediate upgrade is impossible, check vendor guidance for supported interim controls.
Monitor affected services for OOM crashes, restarts, and abnormal request patterns.
Validation and detection
Inventory vLLM versions across inference and model-serving environments.
Identify deployments exposing the OpenAI-compatible API server.
Confirm whether running versions are earlier than 0.19.0.
Review service telemetry for recent OOM events or unexplained API server restarts.
Check package source against upstream vLLM or relevant Red Hat advisories.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1284: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1284 · source CWE mapping
Improper Validation of Specified Quantity in Input
Improper Validation of Specified Quantity in Input represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.