Platform
python
Component
vllm
Fixed in
0.5.6
CVE-2026-34760 affects vLLM, an inference and serving engine for large language models (LLMs), impacting versions 0.5.5 through 0.17.99. This vulnerability stems from an inconsistency in audio downmixing within the Librosa library, resulting in a mismatch between how humans perceive audio and how AI models process it. The issue is resolved in version 0.18.0.
The core impact of CVE-2026-34760 lies in the potential for skewed or inaccurate AI model training and inference due to the flawed audio processing. Specifically, Librosa, a dependency of vLLM, defaults to using numpy.mean for mono downmixing, deviating from the ITU-R BS.775-4 international standard which specifies a weighted downmixing algorithm. This difference can lead to subtle but significant variations in the audio signal presented to the LLM, potentially affecting its performance and accuracy. While not a direct security exploit, the impact is significant for applications relying on accurate audio analysis and processing, such as speech recognition, audio classification, and music information retrieval. The discrepancy could introduce bias or errors into the LLM's understanding of audio data.
CVE-2026-34760 is not a direct security exploit in the traditional sense (e.g., RCE or data breach). It's a functional vulnerability impacting the accuracy of audio processing within vLLM. As of the publication date (2026-04-02), there is no indication of active exploitation or a KEV listing. Public proof-of-concept code is not currently available, but the potential for subtle biases in LLM training and inference due to this issue warrants attention.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34760 is to upgrade vLLM to version 0.18.0 or later, which corrects the audio downmixing issue. If upgrading is not immediately feasible, consider implementing a temporary workaround by ensuring that audio processing pipelines adhere to the ITU-R BS.775-4 standard for weighted downmixing. This might involve modifying audio processing scripts or using alternative libraries that implement the correct downmixing algorithm. There are no known WAF or proxy rules that can directly mitigate this issue. After upgrading to v0.18.0, verify the audio processing pipeline by comparing the output of the downmixing function with a known-good implementation of ITU-R BS.775-4.
Update the vLLM library to version 0.18.0 or later. This ensures that the weighted audio downmixing algorithm specified by the ITU-R BS.775-4 standard is used, avoiding inconsistencies between audio processed by AI models and audio heard by humans.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34760 is a vulnerability in vLLM where incorrect audio downmixing leads to discrepancies between human-perceived and AI-processed audio, potentially impacting LLM inference. It has a CVSS score of 5.9 (MEDIUM).
You are affected if you are using vLLM versions 0.5.5 through 0.17.99. Upgrade to version 0.18.0 to mitigate the issue.
Upgrade vLLM to version 0.18.0 or later. If immediate upgrade isn't possible, ensure your audio processing adheres to the ITU-R BS.775-4 standard.
As of the publication date, there is no evidence of active exploitation or a KEV listing for CVE-2026-34760.
Refer to the vLLM project's official documentation and release notes for details on CVE-2026-34760 and the fix in version 0.18.0.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.