Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-34760

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

vLLM: Downmix Implementation Differences as Attack Vectors Against Audio AI Models

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8 x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/37058 x_refsource_MISC
https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4 x_refsource_MISC
https://github.com/vllm-project/vllm/releases/tag/v0.18.0 x_refsource_MISC

Affected products

vllm

==>= 0.5.5, < 0.18.0

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.pkgsRocm.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.python312Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.python313Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.pkgsRocm.python3Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

Package maintainers

@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@happysalada Raphael Megzari <raphael@megzari.com>
@daniel-fahey Daniel Fahey <daniel.fahey+nixpkgs@pm.me>