A vulnerability was found in vllm-project vllm up to 0.19.x . It has been rated as problematic . This impacts the function extract_hidden_states . Performing a manipulation of the argument repetition_penalty/frequency_penalty/presence_penalty results in incorrect calculation of buffer size. This vulnerability is known as CVE-2026-44223 . Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.