Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-7141

5.6 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): Low (L)
Exploit Code Maturity (E): Proof-of-Concept (P)
Remediation Level (RL): Official Fix (O)
Report Confidence (RC): Confirmed (C)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

created 2 weeks, 1 day ago Activity log

Created suggestion 2 weeks, 1 day ago

vllm KV Block kv_cache_interface.py has_mamba_layers uninitialized resource

A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component KV Block Handler. Performing a manipulation results in uninitialized resource. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The patch is named 1ad67864c0c20f167929e64c875f5c28e1aad9fd. To fix this issue, it is recommended to deploy a patch.

References

VDB-359740 | vllm KV Block kv_cache_interface.py has_mamba_layers uninitialized resource vdb-entrytechnical-description
https://github.com/vllm-project/vllm/issues/39146 issue-tracking
https://github.com/vllm-project/vllm/pull/39283 issue-trackingpatch
https://github.com/vllm-project/vllm/issues/39146#issue-4215090365 issue-trackingexploit
https://github.com/AjAnubolu/vllm/commit/1ad67864c0c20f167929e64c875f5c28e1aad9… patch

Ignored references (2)

VDB-359740 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #801297 | vllm-project vLLM 0.19.0 Use of Uninitialized Resource third-party-advisory

Affected products

vllm

==0.6
==0.9
==0.16
==0.2
==0.4
==0.15
==0.7
==0.17
==0.11
==0.19.0
==0.10
==0.1
==0.13
==0.3
==0.8
==0.12
==0.18
==0.14
==0.5

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.pkgsRocm.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.python312Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.python313Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.pkgsRocm.python3Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

Package maintainers

@happysalada Raphael Megzari <raphael@megzari.com>
@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
@daniel-fahey Daniel Fahey <daniel.fahey+nixpkgs@pm.me>