UnratedPublic exploit

vLLM Anthropic API and speech-to-text heap address information leak

IdentifiersCVE-2026-54236CWE-200

CVE-2026-54236 is an information disclosure vulnerability in vLLM caused by an incomplete fix for CVE-2026-22778. Prior to vLLM 0.23.1rc0, several error-handling paths return raw exception text to clients by embedding str(exc) directly in responses instead of passing the message through the sanitize_message helper intended to strip object-representation memory addresses. The affected paths include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py for POST /v1/messages and POST /v1/messages/count_tokens, the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket handler in vllm/entrypoints/speech_to_text/realtime/connection.py. These handlers catch exceptions locally and construct JSONResponse objects themselves, bypassing the sanitizing global FastAPI exception handler; WebSocket frames also do not traverse that handler chain. An unauthenticated attacker can trigger the issue by supplying malformed image bytes through Anthropic Messages API image content parts, causing PIL.Image.open to raise UnidentifiedImageError. The resulting exception string can include a Python object representation such as a BytesIO repr with a literal heap address, which is then reflected to the client in the error response.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation discloses process memory addresses, specifically heap/object addresses embedded in Python object representations such as <_io.BytesIO object at 0x...>. This weakens ASLR and provides an address-leak primitive that can support follow-on exploitation, including use as an entry primitive in a broader remote code execution chain when combined with a separate memory corruption bug. The issue is remotely reachable and does not require authentication on exposed vulnerable endpoints.

Mitigation

If you can’t patch tonight, do this now.

Until an upgrade is applied, prevent raw exception strings from being returned to clients on the Anthropic API, streaming, and speech-to-text realtime paths. Apply sanitize_message or equivalent filtering to all locally constructed error responses, including WebSocket error frames. As defense in depth, restrict external access to affected endpoints, especially unauthenticated internet exposure, and consider additional sanitization that removes standalone hexadecimal pointer-like values from outbound error bodies.

Remediation

Patch, then assume compromise.

Upgrade vLLM to 0.23.1rc0 or later, which fixes the incomplete sanitization. If patching code directly, ensure all affected response paths sanitize exception text before returning it to clients, specifically in vllm/entrypoints/anthropic/api_router.py, vllm/entrypoints/anthropic/serving.py, and vllm/entrypoints/speech_to_text/realtime/connection.py. Error handling should be made consistent across HTTP, SSE, and WebSocket paths so raw str(exc) is never exposed externally.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Vllm-ProjectVllmapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

nuclei templates pull requestsNews

Jun 21, 2026

Add CVE-2026-54236 vLLM Anthropic router heap-address info-leak template by kenlacroix · Pull Request #16442 · projectdiscovery/nuclei-templates · GitHub

An information disclosure vulnerability in the vLLM Anthropic router that appears to leak heap memory addresses via error handling or exception output, potentially exposing sensitive process memory details.

metasploit pull requestsNews

Jun 21, 2026

Add vLLM Anthropic router info-leak scanner for CVE-2026-54236 by kenlacroix · Pull Request #21593 · rapid7/metasploit-framework · GitHub

An information disclosure vulnerability in vLLM caused by an incomplete fix, where Anthropic-compatible and speech-to-text endpoints leak heap addresses via unsanitized exception strings, aiding an RCE chain by defeating ASLR.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54236

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54236

MITRE CWE · CWE-200

cwe.mitre.org