Main Vulnerability Database Vulnerabilities #VU124865

#VU124865 Interpretation Conflict in vLLM - CVE-2026-34760

Published: April 4, 2026

Vulnerability identifier: #VU124865

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34760

CWE-ID: CWE-436

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
vLLM

Software vendor:
vLLM

Description

The vulnerability allows a remote user to manipulate audio model processing results.

The vulnerability exists due to improper algorithm implementation in the audio downmixing functionality when processing specially crafted multichannel audio input. A remote user can supply a specially crafted multichannel audio file with interference signals or hidden content in unsupported channels to manipulate audio model processing results.

This issue stems from differences between Librosa mono downmixing behavior and the ITU-R BS.775-4 weighted downmixing standard, causing inconsistencies between audio heard by humans and audio processed by AI models. The advisory notes that LFE and channels beyond the 6th may be used to affect speech recognition, content moderation, or voice authentication outcomes.

Remediation

Install security update from vendor's website.

External links

https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8

#VU124865 Interpretation Conflict in vLLM - CVE-2026-34760

Description

Remediation

External links

Please verify you're human