प्लेटफ़ॉर्म
python
घटक
vllm
में ठीक किया गया
0.5.6
CVE-2026-34760 affects vLLM, an inference and serving engine for large language models (LLMs), impacting versions 0.5.5 through 0.17.99. This vulnerability stems from an inconsistency in audio downmixing within the Librosa library, resulting in a mismatch between how humans perceive audio and how AI models process it. The issue is resolved in version 0.18.0.
The core impact of CVE-2026-34760 lies in the potential for skewed or inaccurate AI model training and inference due to the flawed audio processing. Specifically, Librosa, a dependency of vLLM, defaults to using numpy.mean for mono downmixing, deviating from the ITU-R BS.775-4 international standard which specifies a weighted downmixing algorithm. This difference can lead to subtle but significant variations in the audio signal presented to the LLM, potentially affecting its performance and accuracy. While not a direct security exploit, the impact is significant for applications relying on accurate audio analysis and processing, such as speech recognition, audio classification, and music information retrieval. The discrepancy could introduce bias or errors into the LLM's understanding of audio data.
CVE-2026-34760 is not a direct security exploit in the traditional sense (e.g., RCE or data breach). It's a functional vulnerability impacting the accuracy of audio processing within vLLM. As of the publication date (2026-04-02), there is no indication of active exploitation or a KEV listing. Public proof-of-concept code is not currently available, but the potential for subtle biases in LLM training and inference due to this issue warrants attention.
Organizations and developers using vLLM for applications that rely on accurate audio processing, particularly those involved in speech recognition, audio classification, or music information retrieval, are at risk. This includes researchers, AI developers, and companies deploying LLMs in audio-related applications.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (20% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34760 is to upgrade vLLM to version 0.18.0 or later, which corrects the audio downmixing issue. If upgrading is not immediately feasible, consider implementing a temporary workaround by ensuring that audio processing pipelines adhere to the ITU-R BS.775-4 standard for weighted downmixing. This might involve modifying audio processing scripts or using alternative libraries that implement the correct downmixing algorithm. There are no known WAF or proxy rules that can directly mitigate this issue. After upgrading to v0.18.0, verify the audio processing pipeline by comparing the output of the downmixing function with a known-good implementation of ITU-R BS.775-4.
Actualice la biblioteca vLLM a la versión 0.18.0 o posterior. Esto asegura que se utilice el algoritmo de downmixing de audio ponderado especificado por el estándar ITU-R BS.775-4, evitando inconsistencias entre el audio procesado por modelos de IA y el audio escuchado por humanos.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34760 is a vulnerability in vLLM where incorrect audio downmixing leads to discrepancies between human-perceived and AI-processed audio, potentially impacting LLM inference. It has a CVSS score of 5.9 (MEDIUM).
You are affected if you are using vLLM versions 0.5.5 through 0.17.99. Upgrade to version 0.18.0 to mitigate the issue.
Upgrade vLLM to version 0.18.0 or later. If immediate upgrade isn't possible, ensure your audio processing adheres to the ITU-R BS.775-4 standard.
As of the publication date, there is no evidence of active exploitation or a KEV listing for CVE-2026-34760.
Refer to the vLLM project's official documentation and release notes for details on CVE-2026-34760 and the fix in version 0.18.0.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।