CVE-2026-34755
CWE-770Published: April 6, 2026· Updated: Apr 7, 2026
Official Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0.
Technical Analysis
CVE-2026-34755 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in availability disruption (denial of service), with a CVSS base score of 6.5.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-770)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-34755 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts