python · vllmHeads-up

vllm: Incomplete CVE-2026-22778 fix leaks memory addresses in Anthropic API and speech-to-text endpoints

The fix for CVE-2026-22778 (sanitize_message) was incomplete; five new code paths in the Anthropic API router and speech-to-text WebSocket leak object-repr memo

18 Jun 2026Read 1 minSeverity: schedule it

What changed

The fix for CVE-2026-22778 (sanitize_message) was incomplete; five new code paths in the Anthropic API router and speech-to-text WebSocket leak object-repr memory addresses via str(exc) in error responses.

Who it affects

All vLLM deployments using the Anthropic Messages API (POST /v1/messages, POST /v1/messages/count_tokens) or the realtime speech-to-text WebSocket endpoint.

What to do today

Apply sanitize_message to the five identified sites as described in the advisory, or update to the patched version (PR #45119).

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · vllm

vllm: Incomplete CVE-2026-22778 fix leaks memory addresses in Anthropic API and speech-to-text endpoints

What changed

Who it affects

What to do today

More on vllm

vllm: Temperature validation silently passes NaN and +Inf values

vllm: Fix three image processing issues (EXIF orientation, PNG tRNS, APNG/GIF frames)