vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
Summary
| CVE | CVE-2026-41523 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 23:16:30 UTC |
| Updated | 2026-07-07 12:16:42 UTC |
| Description | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.004840000 probability, percentile 0.382530000 (date 2026-07-08)
Problem Types: CWE-94 | CWE-617 | CWE-94 CWE-94: Improper Control of Generation of Code ('Code Injection') | CWE-617 CWE-617: Reachable Assertion | CWE-617 Reachable Assertion
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Vllm-project | Vllm | affected < 0.22.0 | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server 3.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/vllm-project/vllm/security/advisories/GHSA-q8gq-377p-jq3r | [email protected] | github.com | Exploit, Third Party Advisory |
| huntr.com/bounties/dcb05b04-e625-41e7-adbc-bbae0cc2d64c | [email protected] | huntr.com | Third Party Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41523.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36006 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/vllm-project/vllm/commit/b3c7ffcab82c2439726f8cb213800f6f38c0... | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:36005 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-41523 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-22T23:01:00.799Z | Reported to Red Hat. |
| ADP | 2026-06-22T22:18:14.494Z | Made public. |
Solutions
ADP: RHSA-2026:36005: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:36006: Red Hat AI Inference Server 3.2
Workarounds
ADP: Avoid running vLLM with python -O or PYTHONOPTIMIZE=1 until updated packages are available. Only load models from trusted sources. Restrict who can deploy or update models on inference endpoints. Apply network access controls and authentication in front of vLLM APIs.
There are currently no legacy QID mappings associated with this CVE.