vLLM - Denial of Service via Unvalidated Multimodal Embeddings

An attacker can submit crafted embedding requests with malformed sparse tensor indices (negative or out-of-bounds values) when the prompt-embeds feature is enabled. Because PyTorch disables sparse tensor invariant checks by default for performance, these malformed tensors are accepted without validation [ref_id=1]. This can trigger crashes, resource exhaustion (denial of service), and potentially out-of-bounds/write-what-where memory corruption. The attack requires the prompt-embeds feature to be explicitly enabled by the server operator.

The vulnerability resides in the multimodal embeddings processing path of vLLM (versions >= 0.10.2 and < 0.13.0). The root cause is missing sparse tensor validation when handling prompt-embed requests, specifically the lack of checks for malformed (negative or out-of-bounds) tensor indices. The prior fix for CVE-2025-62164 only disabled the prompt-embeds feature by default rather than adding proper validation [ref_id=1].

The patch adds sparse tensor validation to ensure indices are valid, non-negative, and within bounds [ref_id=1]. This addresses the root cause rather than merely disabling the feature. By validating tensor invariants before processing, the fix prevents malformed embedding requests from causing crashes, resource exhaustion, or memory corruption. The advisory notes that PyTorch disables these checks by default, making explicit validation necessary.