PT-2026-50490 · Vllm · Vllm
Brodmart
·
Published
2026-06-17
·
Updated
2026-06-22
·
CVE-2026-54235
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
vLLM versions prior to 0.23.1rc0
Description
Temperature validation gates use comparison operators that silently evaluate to False when encountering NaN (Not a Number) or positive Infinity due to Python's IEEE 754 float semantics. These values bypass guards and propagate to GPU sampling kernels, resulting in undefined behavior or CUDA errors that can crash the inference worker and degrade service for all concurrent users. The issue occurs because the
verify args() function in sampling params.py lacks checks such as math.isnan() or math.isinf() for the temperature variable.Recommendations
Update to version 0.23.1rc0.
As a temporary workaround, restrict the use of non-finite float values for the
temperature variable to prevent inference worker crashes.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vllm