Continuous Discovery of Vulnerabilities in LLM Serving Systems with Fuzzing
Authors: Yunze Zhao, Yibo Zhao, Yuchen Zhang et al.
Summary
The authors present GRIEF, a greybox fuzzer for LLM inference engines (vLLM, SGLang) that treats timed multi-request traces as first-class inputs. GRIEF targets serving-layer failures (KV-cache isolation, cross-request interference, scheduling bugs) that emerge only under realistic concurrent workloads and are missed by model or API tests. Using lightweight oracles and controlled replay with log-probability checks, GRIEF discovers 15 vulnerabilities across vLLM and SGLang, including 2 CVEs, spanning KV-cache isolation failures, cross-request performance interference, and crash/liveness bugs.
Main takeaways:
- Modern LLM serving systems (vLLM, SGLang) use shared state (KV cache, prefix sharing, batching, multi-tenant scheduling) that creates concurrency bugs missed by standard model or API tests.
- GRIEF treats timed multi-request traces as inputs, fuzzing the serving layer rather than individual prompts or model behavior.
- Lightweight oracles detect crashes, hangs, performance pathologies (e.g., noisy-neighbor denial of service), and silent output corruption.
- Controlled replay with log-probability checks confirms reproducible serving-layer failures (e.g., cross-request contamination where one request's KV cache leaks into another's output).
- Early campaigns on vLLM and SGLang discovered 15 vulnerabilities (10 confirmed by developers, 2 CVEs), including KV-cache isolation failures, cross-request performance interference, and delayed crashes.
Relevance
Tangentially related to my persona-leakage work. GRIEF targets cross-request contamination in KV-cache and serving infrastructure, similar to how I study persona marker leakage across bystander personas. The core question—how does shared state (KV cache vs. persona geometry) enable unintended information flow—parallels my work on marker implantation and leakage, though GRIEF focuses on infrastructure bugs rather than training-induced behavior.
Threat model
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses failure, failures.
Abstract
arXiv:2605.11202v1 Announce Type: new Abstract: LLM inference and serving systems have become security-critical infrastructure; however, many of their most concerning failures arise from the serving layer rather than from model behavior alone. Modern inference engines combine KV cache, batching, prefix sharing, speculative decoding, adapters, and multi-tenant scheduling, creating shared-state behavior that only emerges under realistic concurrent workloads and is missed by standard model, safety, and API tests. We present GRIEF, a greybox fuzzer for LLM inference engines that treats timed multi-request traces as first-class inputs, uses lightweight oracles to detect crashes, hangs, performance pathologies, and silent output corruption, and applies controlled replay with log-probability checks to confirm reproducible serving-layer failures. Across early campaigns on vLLM and SGLang, GRIEF discovers 15 vulnerabilities, 10 confirmed by engine developers, including 2 CVEs, spanning KV-cache isolation failures, cross-request performance interference, and crash or liveness bugs. These results show that concurrency, caching, and state reuse can induce silent cross-request contamination, noisy-neighbor denial of service, and delayed crashes without malformed inputs or explicit server errors, making concurrent serving behavior a first-class security and reliability boundary for LLM infrastructure.