CVE-2026-10775: SGLang Cache Handler Denial-of-Service Vulnerability (v0.5.11)
CVE-2026-10775 is a denial-of-service vulnerability in SGLang's cache handling mechanism. An attacker with local system access and user-level privileges can trigger a crash or service interruption by exploiting the data_hash function in the cache handler. The attack requires specific knowledge of the system's cache internals, making it moderately difficult to execute, though proof-of-concept code has been publicly disclosed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-404
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in sgl-project SGLang up to 0.5.11. Affected by this vulnerability is the function data_hash of the component Cache Handler. This manipulation causes denial of service. The attack is restricted to local execution. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
9 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the data_hash function within SGLang's Cache Handler component, affecting versions up to 0.5.11. The flaw allows a local, authenticated attacker to cause a denial of service through a manipulation attack. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L) indicates local attack vector, high attack complexity, low privilege requirement, no user interaction needed, and impact limited to integrity and availability. The issue is categorized under CWE-404 (Improper Resource Validation), suggesting insufficient checking of cache resources or state.
Business impact
In production environments running SGLang, a malicious insider or compromised local user account could repeatedly trigger cache handler failures, causing service degradation or outages for LLM inference workloads. While the vulnerability does not leak data (no confidentiality impact), the availability impact means customer inference requests could fail intermittently. For services relying on SGLang for continuous inference, this creates operational risk and potential SLA violations, though the required local access and high complexity limit the attack surface significantly.
Affected systems
SGLang (sgl-project) up to and including version 0.5.11 is affected. The vulnerability is restricted to local execution, so only systems where untrusted code runs locally or where user accounts are compromised represent real risk. Organizations using SGLang in isolated or fully managed environments (e.g., containerized deployments with no local user shell access) face reduced risk. Verify your installed SGLang version and review local access controls on machines running the service.
Exploitability
Public proof-of-concept disclosures exist, lowering the bar for would-be attackers who have already cleared the primary hurdle: local system access with user-level privileges. The attack complexity is rated 'high,' meaning exploitation requires specific conditions or deep knowledge of cache internals to reliably trigger the denial of service. An attacker must be either a privileged local user or have compromised a service account running SGLang. This is not a remote, unauthenticated threat and does not warrant emergency response, but should factor into insider threat and supply-chain compromise scenarios.
Remediation
Upgrade SGLang to a version newer than 0.5.11 once a patch is released. Currently, the fix is under review (pending pull request acceptance), so monitor the SGLang GitHub repository for an official release. Until then, apply compensating controls: restrict local user accounts on SGLang hosts, enforce authentication and access controls on any local interfaces, monitor cache handler logs for anomalies, and consider network segmentation to limit attack paths if SGLang is part of a larger inference platform.
Patch guidance
When a patched version is released (verify against the official SGLang repository and release notes), apply it during a maintenance window that allows service restart. Given the low CVSS score and local-only attack vector, patching can follow standard change management rather than emergency procedures. Test the upgrade in a non-production environment first to ensure cache behavior remains stable. Review any breaking changes in the release notes, as cache handler modifications may affect performance or compatibility with dependent applications.
Detection guidance
Monitor SGLang logs for cache handler exceptions, particularly failures in the data_hash function. Implement system-level monitoring for repeated denial-of-service attempts targeting the cache (look for rapid restarts or error spikes). Track user and service-account activity on hosts running SGLang; suspicious local access patterns combined with cache failures warrant investigation. In containerized environments, use admission controls and resource quotas to limit the blast radius of cache-based DoS attacks. Endpoint Detection and Response (EDR) tools should flag repeated attempts to manipulate or interrogate the cache handler.
Why prioritize this
Although the CVSS score is low (3.6), the vulnerability warrants attention because public exploits exist and cache layer attacks can be vectors for lateral movement in AI/ML platforms. However, prioritization should be proportional: organizations with SGLang running in isolated, access-controlled environments can defer patching to the next planned maintenance cycle. Teams with broader local-user populations or shared inference clusters should prioritize the upgrade sooner. The vulnerability is not currently on the CISA KEV list, reflecting its low immediate national risk, but individual organizations should assess their local threat model.
Risk score, explained
CVSS 3.6 (Low) reflects the convergence of low attack surface (local access only, high complexity) with limited impact scope (no data confidentiality loss, availability and integrity impact are bounded to cache operation). The score would be higher if the vulnerability were remotely exploitable or required no privileges. For context, this is below the threshold most organizations use for emergency patching, but should still be tracked and remediated in the normal patch cycle, especially in sensitive or high-availability deployments.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-10775 requires local execution and user-level privileges. It cannot be triggered over the network or by anonymous attackers. Remote access to a SGLang instance does not automatically grant the ability to exploit this cache handler flaw.
What happens if someone exploits this?
The cache handler crashes or becomes unavailable temporarily, causing SGLang to drop or fail pending inference requests. The attacker cannot steal data or modify inference results; the impact is limited to denial of service and potential service restarts. Impact is contained to the affected SGLang instance.
Do I need to patch immediately?
Patching should follow your normal change management schedule unless you operate in a threat environment with known insider risks or untrusted local users. The CVSS score and KEV-ineligible status indicate this is not a critical emergency, but upgrade before or shortly after a stable patch is released. Prioritize higher if SGLang is in a multi-tenant or shared environment.
Where can I find the fix?
Monitor the SGLang repository (lmsys/sglang on GitHub) for release announcements and pull request updates. The fix is currently pending acceptance; once merged and released, follow the official upgrade documentation. Verify the version number and changelog before deploying to production.
This analysis is provided for informational purposes and reflects the state of CVE-2026-10775 as of the publication date. CVSS scores, affected versions, and patch status are current as of June 2026 and may evolve as the vendor releases fixes and further analysis emerges. Always verify patch availability and compatibility with your specific SGLang deployment before upgrading. Organizations should conduct their own risk assessment based on their deployment model, local access controls, and threat landscape. This summary does not constitute a guarantee of vulnerability impact or availability of fixes and is not a substitute for vendor advisories or internal security reviews. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10197LOWAssimp glTF2 Null Pointer Dereference Denial of Service
- CVE-2026-10198LOWAssimp glTF Importer Null Pointer Dereference DoS Vulnerability
- CVE-2026-10199LOWAssimp Null Pointer Dereference in glTF2 Parsing
- CVE-2026-10201LOWAssimp FBX Divide-by-Zero Denial of Service
- CVE-2026-10295LOWDenial of Service in SourceCodester Customer Review App 1.0
- CVE-2026-10298LOWwhisper.cpp Null Pointer Dereference Vulnerability – Local Denial of Service
- CVE-2026-10705LOWDask HyperLogLog Resource Exhaustion Vulnerability
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability