CVE-2026-54235 Overview
CVE-2026-54235 affects vLLM, an inference and serving engine for large language models (LLMs). The vulnerability stems from temperature validation gates that use comparison operators (<, >) which silently evaluate to False for NaN and positive Infinity under Python's IEEE 754 float semantics. Both values bypass every guard and propagate to GPU sampling kernels, where they trigger undefined behavior or CUDA errors that crash the inference worker. The flaw is classified under [CWE-1287] (Improper Validation of Specified Type of Input) and is fixed in version 0.23.1rc0.
Critical Impact
A remote, unauthenticated attacker can submit crafted sampling parameters to crash the vLLM inference worker, resulting in a denial-of-service condition on GPU-backed LLM endpoints.
Affected Products
- vLLM versions prior to 0.23.1rc0
- Deployments exposing vLLM sampling parameters (temperature, repetition_penalty) to untrusted clients
- GPU-backed inference workers running affected vLLM builds
Discovery Timeline
- 2026-06-22 - CVE-2026-54235 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-54235
Vulnerability Analysis
The defect lives in vLLM's sampling parameter validation logic in vllm/sampling_params.py. The code enforces bounds on the temperature field using ordered comparisons such as temperature < 0. Under IEEE 754 semantics, any comparison with NaN returns False, and positive Infinity is not less than zero. Both values therefore satisfy the validator and reach the downstream sampler.
Once these non-finite floats enter the GPU sampling kernel, the softmax and probability scaling operations either produce NaN distributions or violate kernel preconditions. The resulting CUDA error aborts the worker process serving the request. Because vLLM is commonly deployed as a long-running inference service, the crash terminates all in-flight requests on that worker.
The same issue applies to repetition_penalty, which is validated through analogous comparison logic. The patch introduces math.isfinite() checks to reject non-finite inputs before they reach the kernels.
Root Cause
The root cause is reliance on ordered float comparisons to enforce numeric domain constraints. Python's < and > operators do not detect NaN, and they treat Infinity as a valid upper extreme. The validator never confirms that the supplied value is a finite real number, which is the actual contract expected by the CUDA sampling kernels.
Attack Vector
An attacker with network access to the vLLM HTTP API submits a generation request with temperature set to NaN or Infinity. No authentication, privileges, or user interaction are required when the endpoint is exposed. The crafted request passes input validation and triggers the kernel fault during sampling, which crashes the worker.
# Patch excerpt from vllm/sampling_params.py
import copy
import json as json_mod
+import math
from dataclasses import field
from enum import Enum, IntEnum
from functools import cached_property
# [Security] Reject non-finite temperature and repetition_penalty values (#45116)
Source: vLLM commit d598d23
The fix imports math and adds math.isfinite() guards so that NaN and Infinity are rejected before reaching the sampler.
Detection Methods for CVE-2026-54235
Indicators of Compromise
- Inference requests containing temperature or repetition_penalty fields with JSON values such as NaN, Infinity, -Infinity, or string equivalents.
- Unexpected vLLM worker process termination correlated with incoming completion or chat-completion API calls.
- CUDA runtime errors in vLLM logs referencing invalid sampling probabilities or nan in tensor outputs.
Detection Strategies
- Inspect application logs and reverse-proxy access logs for JSON payloads containing non-finite numeric literals targeting the /v1/completions or /v1/chat/completions endpoints.
- Alert on repeated vLLM worker restarts or CUDA error stack traces emitted by the inference container within short time windows.
- Correlate API request bodies with worker crashes using request IDs to identify the offending client.
Monitoring Recommendations
- Instrument the vLLM service with health and liveness metrics so that worker crashes raise immediate alerts.
- Forward inference API access logs and container stderr to a centralized analytics pipeline for query-based hunting.
- Track per-client error and crash rates to identify abusive sources targeting GPU-backed endpoints.
How to Mitigate CVE-2026-54235
Immediate Actions Required
- Upgrade vLLM to version 0.23.1rc0 or later, which adds math.isfinite() validation for temperature and repetition_penalty.
- Place vLLM behind an authenticated API gateway and restrict network exposure to trusted clients until patched.
- Add request-body validation at the proxy layer to reject payloads containing NaN, Infinity, or -Infinity tokens.
Patch Information
The fix is delivered in vLLM 0.23.1rc0 via commit d598d23 and pull request #45116. The change imports the math module and uses math.isfinite() to reject non-finite sampling parameters. See the GitHub Security Advisory GHSA-7h4p-rffg-7823 and the upstream commit for full technical details.
Workarounds
- Deploy a reverse-proxy filter (NGINX, Envoy, or API gateway) that rejects request bodies containing NaN or Infinity literals before they reach vLLM.
- Wrap the vLLM client interface with a server-side schema validator that coerces and verifies finite floats for temperature and repetition_penalty.
- Restrict the inference endpoint to authenticated internal services until the upgrade is rolled out.
# NGINX example: reject JSON payloads containing non-finite literals
location /v1/ {
if ($request_body ~* "(NaN|Infinity|-Infinity)") {
return 400;
}
proxy_pass http://vllm_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

