CVE-2026-5497 Unbounded Frame Count in video/jpeg Base64 Data URL Processing Leads to OOM DoS in vllm-project/vllm

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory OOM Denial of Service DoS attack due to unbounded frame count processing in the VideoMediaIO.loadbase64 method. When processing video/jpeg data URLs, the method splits the base64 data string on commas to extract individual JPEG fram...

GHSA-PQ5C-RJHQ-QP7P vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing

Summary The VideoMediaIO.loadbase64 method at vllm/multimodal/media/video.py:51-62 splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The numframes parameter default: 32, which is enforced by the loadbytes code path at line 47-48, is...