Skip to content

security(huggingface-vllm): allowlist CVE-2026-39822 and CVE-2026-55574#6379

Merged
sallyseok merged 1 commit into
mainfrom
hf-vllm-allowlist-cve-2026-39822
Jul 10, 2026
Merged

security(huggingface-vllm): allowlist CVE-2026-39822 and CVE-2026-55574#6379
sallyseok merged 1 commit into
mainfrom
hf-vllm-allowlist-cve-2026-39822

Conversation

@dwarez

@dwarez dwarez commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Purpose

The Hugging Face vLLM SageMaker ECR scan flags two non-allowlisted HIGH CVEs, both unpatchable from the HF layer. Approved to allowlist:

  • CVE-2026-39822go/stdlib 1.25.9 statically linked inside the prebuilt mooncake/libetcd_wrapper.so. Cannot be patched without a mooncake-transfer-engine rebuild (same class as the other CVE-2026-3982x mooncake entries already in this allowlist).
  • CVE-2026-55574vllm 0.22.1, fixed only in 0.24.0. The vLLM version is pinned by the base DLC and can't be bumped independently.

Both get a reason + review_by in test/security/data/ecr_scan_allowlist/huggingface-vllm/framework_allowlist.json. This is risk-acceptance, not a code fix — neither CVE is patchable downstream.

Test Plan

Re-run the Hugging Face vLLM pipeline security scan.

Test Result

  • ✅ JSON validates; pre-commit clean.
  • ⏳ ECR scan passes on the next pipeline run.

🤖 Generated with Claude Code

Both are unpatchable from the HF layer:
- CVE-2026-39822: go/stdlib 1.25.9 statically linked inside the prebuilt
  mooncake libetcd_wrapper.so; needs a mooncake-transfer-engine rebuild
  (same class as the other CVE-2026-3982x mooncake entries here).
- CVE-2026-55574: fixed only in vllm 0.24.0; the vLLM version is pinned by
  the base DLC and cannot be bumped independently.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Signed-off-by: DWarez <dario.salvati@huggingface.co>
@sallyseok sallyseok merged commit b3aa9e0 into main Jul 10, 2026
25 checks passed
@sallyseok sallyseok deleted the hf-vllm-allowlist-cve-2026-39822 branch July 10, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants