QwikSec

Security Database

CVE

CWE

Training

CVE-2026-34760

Published: Apr 2, 2026

Modified: Apr 3, 2026

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.

Vendor	Product	Versions
vllm-project	vllm	affected `>= 0.5.5, < 0.18.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8

x_refsource_CONFIRM

https://github.com/vllm-project/vllm/pull/37058

x_refsource_MISC

https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4

x_refsource_MISC

https://github.com/vllm-project/vllm/releases/tag/v0.18.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.