CVE-2026-56340: vLLM Multimodal Embeddings Flaw
| Field | Value |
|---|---|
| CVE ID | CVE-2026-56340 |
| CVSS score | 8.8 |
| Attack vector | Not explicitly confirmed; remote request handling is implied when exposed APIs accept crafted embedding input |
| Auth required | Unknown; assume untrusted API clients may reach the vulnerable path if prompt-embeds is enabled |
| Patch status | Fixed in vLLM 0.13.0 |
TL;DR - vLLM versions
>= 0.10.2and< 0.13.0are vulnerable whenprompt-embedsis enabled. - Upgrade to0.13.0and review whether untrusted users can submit multimodal embedding requests. - No confirmed in-the-wild exploitation or public PoC is established yet, but patch quickly due to DoS and possible memory corruption risk.
What is CVE-2026-56340?
CVE-2026-56340 is a high-severity flaw in the open-source vLLM project. This vulnerability affects vLLM versions >= 0.10.2 and < 0.13.0, with 0.13.0 being the first fixed version. The root cause is missing sparse tensor validation during multimodal embeddings processing. Malformed input can reach unsafe code paths when vLLM processes prompt embeddings.
The NVD record states that PyTorch disables sparse tensor invariant checks by default, increasing the risk that invalid tensor data is accepted unless the application enforces its own validation. An attacker who can submit crafted embedding requests with negative or out-of-bounds tensor indices may crash the process, exhaust resources, or trigger denial of service. The description also warns of potential out-of-bounds or write-what-where memory corruption, making this issue more concerning than a simple reliability bug.
This issue is also significant as NVD explicitly states it continues CVE-2025-62164. The prior remediation reportedly disabled the feature by default rather than fixing the underlying validation gap. This matters for defenders because a deployment may still be at risk if operators re-enabled the feature or relied on it for multimodal workflows.
From an operational standpoint, the vulnerable path is only described as reachable when the prompt-embeds feature is enabled. This narrows exposure but does not eliminate urgency. AI inference stacks are often internet-facing or multi-tenant, and any feature that accepts structured user input into a model-serving path deserves close review when memory corruption is mentioned.
Affected Versions and Exposure Conditions
The affected range is clearly stated as vLLM >= 0.10.2 and < 0.13.0. This includes 0.10.2, all subsequent 0.10.x, 0.11.x, and 0.12.x releases before 0.13.0. The first non-vulnerable release is 0.13.0.
If you run vLLM but do not know the deployed version, verify it immediately from the Python package metadata, container tag, or build manifest. In AI serving environments, version drift is common across notebooks, GPU nodes, Kubernetes deployments, and sidecar images. You should not assume that because one cluster was updated, every inference worker is fixed.
Exposure depends on whether prompt-embeds is enabled and whether attackers or untrusted tenants can send embedding-related requests that reach the multimodal processing path. The public description does not provide a definitive statement on authentication requirements. Therefore, defenders should assume the worst reasonable case: if an API route accepts user-supplied prompts or embeddings and is reachable by external users, the vulnerable code path may be exposed.
The highest-risk environments are likely to be shared inference services, public model APIs, and internal platforms where many teams can submit custom requests. Even if the service is not internet-exposed, an authenticated internal user or another compromised workload could potentially abuse the flaw for denial of service.
Severity and Exploitation Status
The CVSS base score is 8.8, placing the issue firmly in high-severity territory. The exact CVSS vector string was not available in the provided NVD output, so it should not be guessed. Still, the score aligns with a flaw that can be triggered through request processing and can lead to service impact with possible unsafe memory behavior.
What stands out here is the combination of availability impact and potential memory corruption. Many model-serving teams will initially classify this as “just DoS” because crashes and resource exhaustion are the most direct outcomes described. That would be too narrow. When a vendor or upstream record mentions out-of-bounds or write-what-where conditions, responders should treat the issue as potentially more dangerous until further technical analysis proves otherwise.
As of the available source material, exploitation in the wild is not confirmed. The CVE is not listed in CISA KEV, which means there is no KEV-backed confirmation of active exploitation at this time. Likewise, a public proof of concept is not known from the primary references reviewed for this article. That said, absence of a public PoC does not reduce remediation urgency for exposed services, especially in fast-moving open-source ecosystems where private exploit development may precede public disclosure.
If you need to prioritize among many fixes, use exposure as the main tiebreaker. Internet-facing or multi-tenant vLLM deployments with prompt-embeds enabled should move to the front of the queue, even without confirmed exploitation.
What Defenders Should Do Next
First, inventory every vLLM deployment and confirm whether any instance runs a version in the vulnerable range: >= 0.10.2 and < 0.13.0. Do not rely on CMDB data alone; validate live systems, containers, and notebooks. Second, determine whether prompt-embeds is enabled anywhere, including in internal research clusters that may later be promoted into production.
Third, patch to 0.13.0 or later as soon as practical and restrict embedding endpoints until patching is complete. Finally, monitor for post-upgrade anomalies. Since this CVE follows an earlier incomplete remediation, teams should be cautious about assuming historic mitigations are still adequate.
At the time of writing, there is no confirmed in-the-wild exploitation and no known public PoC in the reviewed primary sources. In the absence of that data, defenders should still assume that exposed AI inference services are attractive targets and act accordingly.
Additional Resources
For more information on related vulnerabilities, you can check these links: - What is CSRF? - Secure Self-Hosted Services Practical Checklist
How to Detect Potential Abuse or Vulnerable Deployments
Start by identifying where vLLM is deployed and whether prompt-embeds is enabled in production, staging, and research environments. This is not purely a package inventory task. You also need to review startup flags, environment variables, API gateway routes, and any custom code that forwards embedding-related requests into vLLM. If your organization exposes multimodal or embedding APIs to end users, map those request paths first.
Next, look for signs of instability that line up with malformed tensor processing: repeated worker crashes, sudden GPU memory pressure, spikes in request latency, process restarts, OOM kills, and bursts of HTTP 5xx responses tied to embedding endpoints. Because the public advisory data does not include a canonical exploit string or exact stack trace, defenders should rely on behavior-based detection plus request logging around embedding features.
A second detection track is version verification. Any environment running vLLM 0.10.2 through 0.12.x should be considered vulnerable until upgraded, especially if you cannot rule out prompt-embeds use. If feature usage is unclear, assume exposure until config review says otherwise.
Technical Notes
Use package and container inspection to find vulnerable nodes:
python -c "import vllm; print(vllm.__version__)"
pip show vllm
pip freeze | grep '^vllm=='
If you run containers, inventory image tags and running pods:
kubectl get pods -A -o wide | grep -i vllm
kubectl describe pod <pod-name> -n <namespace> | grep -i image:
Look for service instability and suspicious embedding request patterns in logs. Exact field names vary, but useful indicators include repeated errors near embedding handlers, malformed tensor references, or bursts of 500 responses:
"POST /v1/embeddings" AND (status=500 OR status=502 OR status=503)
"prompt_embeds"
"sparse"
"tensor"
"index out of bounds"
"negative index"
"CUDA out of memory"
Example Splunk query:
index=prod (sourcetype=nginx OR sourcetype=application)
("POST /v1/embeddings" OR "prompt_embeds")
(status=500 OR status=502 OR status=503 OR "out of bounds" OR "negative index" OR "CUDA out of memory")
| stats count by host, service, status
Example Sigma-style detection idea for application logs:
title: Suspicious vLLM Embedding Failures
logsource:
product: linux
category: application
detection:
selection:
message|contains:
- "prompt_embeds"
- "out of bounds"
- "negative index"
- "CUDA out of memory"
condition: selection
level: medium
These patterns are heuristic, not signature-grade. Because public exploit artifacts are not established, treat them as triage aids and tune against your own logging schema.
Mitigation and Patching Guidance
The primary fix is to upgrade vLLM to 0.13.0 or later. If you are on any version from 0.10.2 through 0.12.x, plan an expedited update window. Because the flaw is tied to input validation in multimodal embeddings processing, perimeter controls alone should not be considered sufficient.
For teams that cannot upgrade immediately, the most defensible workaround based on the available record is to disable or avoid the prompt-embeds feature. NVD specifically notes that exploitation is reachable when prompt-embeds is enabled. That makes feature disablement the most direct temporary mitigation if your workflow allows it. You should also restrict access to any embedding or multimodal endpoints to trusted clients only until patching is complete.
In production AI systems, mitigation should also include rate limiting and request size controls on embedding APIs. Those measures do not fix the root cause, but they can reduce the blast radius of resource-exhaustion attempts and buy time during staged rollouts.
Technical Notes
Upgrade vLLM with pip:
pip install --upgrade 'vllm>=0.13.0'
If you pin dependencies, update the requirement explicitly:
pip install vllm==0.13.0
Verify after the upgrade:
python -c "import vllm; print(vllm.__version__)"
For containerized deployments, rebuild and redeploy from a base image containing vllm==0.13.0, then restart workloads:
kubectl rollout restart deployment/<deployment-name> -n <namespace>
kubectl rollout status deployment/<deployment-name> -n <namespace>
If you need a temporary workaround before maintenance is approved, disable use of prompt-embeds in your application path and block public access to embedding endpoints at the reverse proxy or API gateway. Example NGINX restriction for a known embedding route:
location /v1/embeddings {
allow 10.0.0.0/8;
deny all;
}
If your application explicitly passes prompt_embeds or equivalent embedding structures, remove or gate that functionality until the upgrade is complete. Validate the exact disablement method against your own deployment manifests and the upstream vLLM documentation.
References
| Source | URL |
|---|---|
| NVD CVE record | https://nvd.nist.gov/vuln/detail/CVE-2026-56340 |
| GitHub Security Advisory | https://github.com/vllm-project/vllm/security/advisories/GHSA-mcmc-2m55-j8jj |
| VulnCheck advisory | https://www.vulncheck.com/advisories/vllm-denial-of-service-via-unvalidated-multimodal-embeddings |
| vLLM documentation | https://docs.vllm.ai |
| vLLM GitHub repository | https://github.com/vllm-project/vllm |
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.