CVE-2026-9540
published 2026-05-26CVE-2026-9540: A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.43%
34.2th percentile
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhaii | vllm-cpu-rhel9 | — | — |
| rhaii | vllm-cuda-rhel9 | — | — |
| rhaii | vllm-gaudi-rhel9 | — | — |
| rhaii | vllm-neuron-rhel9 | — | — |
| rhaii | vllm-rocm-rhel9 | — | — |
| rhaii | vllm-spyre-rhel9 | — | — |
| rhaii | vllm-tpu-rhel9 | — | — |
| rhaiis | vllm-cpu-rhel9 | — | — |
| rhaiis | vllm-cuda-rhel9 | — | — |
| rhaiis | vllm-neuron-rhel9 | — | — |
| rhaiis | vllm-rocm-rhel9 | — | — |
| rhaiis | vllm-spyre-rhel9 | — | — |
| rhaiis | vllm-tpu-rhel9 | — | — |
| rhelai3 | bootc-aws-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-rocm-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-gcp-cuda-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhoai | odh-kserve-agent-rhel9 | — | — |
| rhoai | odh-kserve-controller-rhel9 | — | — |
| rhoai | odh-kserve-router-rhel9 | — | — |
| rhoai | odh-kserve-storage-initializer-rhel9 | — | — |
| rhoai | odh-llm-d-kv-cache-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vllm has Improper Resource Shutdown or Release
ghsa·2026-05-26
CVE-2026-9540 [MEDIUM] CWE-404 vllm has Improper Resource Shutdown or Release
vllm has Improper Resource Shutdown or Release
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
GHSA
GHSA-98f3-hwg4-4rf7: A vulnerability was identified in vllm-project vllm 0
ghsa_unreviewed·2026-05-26
CVE-2026-9540 [MEDIUM] CWE-404 GHSA-98f3-hwg4-4rf7: A vulnerability was identified in vllm-project vllm 0
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Red Hat
vllm: vllm: Remote Denial of Service vulnerability in OpenAI-compatible Serving Path
vendor_redhat·2026-05-26·CVSS 5.3
CVE-2026-9540 [MEDIUM] CWE-770 vllm: vllm: Remote Denial of Service vulnerability in OpenAI-compatible Serving Path
vllm: vllm: Remote Denial of Service vulnerability in OpenAI-compatible Serving Path
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
A flaw was found in vllm-project vllm, specifically within its OpenAI-compatible Serving Path. A remote attacker could exploit this vulnerability by manipulating certain processing, leading to a denial of service (DoS). This could make the affected service unavailable to legitimate users. The issue impacts the availability of the vllm service.
Mitigation: To
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-9540 vllm: vllm: Remote Denial of Service vulnerability in OpenAI-compatible Serving Path
bugzilla·2026-05-26·CVSS 5.3
CVE-2026-9540 [MEDIUM] CVE-2026-9540 vllm: vllm: Remote Denial of Service vulnerability in OpenAI-compatible Serving Path
CVE-2026-9540 vllm: vllm: Remote Denial of Service vulnerability in OpenAI-compatible Serving Path
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Bugzilla
CVE-2026-43390 kernel: nstree: tighten permission checks for listing
bugzilla·2026-05-08
CVE-2026-43390 CVE-2026-43390 kernel: nstree: tighten permission checks for listing
CVE-2026-43390 kernel: nstree: tighten permission checks for listing
In the Linux kernel, the following vulnerability has been resolved:
nstree: tighten permission checks for listing
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050836-CVE-2026-43390-9540@gregkh/T
2026-05-26
Published