vLLM Audio Processing Vulnerability Leading to Speech Recognition Exploitation

A vulnerability exists in vLLM, an inference engine for large language models, in versions 0.5.5 prior to 0.18.0. The issue arises from vLLM's reliance on Librosa for audio processing, where Librosa's default method for downmixing stereo to mono audio does not comply with the international standard ITU-R BS.775-4. This misalignment can cause discrepancies between audio as perceived by humans and how it is interpreted by AI models, potentially leading to degraded performance in tasks such as speech recognition. The vulnerability can be exploited by embedding interference signals or hidden content in the low-frequency effects (LFE) channel of multichannel audio files. When these files are played on devices that disregard the LFE channel, only the normal content is audible. However, AI systems processing the audio with Librosa can pick up the LFE interference, disrupting speech recognition accuracy or masking critical detection features. This exploitation could bypass AI content moderation, voice authentication systems, or cause incorrect transcriptions.

Impact

Exploitation of this vulnerability allows for interference with speech recognition systems, leading to incorrect transcriptions. It can also bypass AI detection of prohibited content, potentially compromising voice authentication processes by introducing anomalous audio that is accepted as genuine.

Reproduction

The vulnerability can be reproduced by creating a multichannel audio file that includes normal content in the front channels while embedding interference or hidden messages in the LFE channel. This audio can then be processed by an AI model using vLLM, which will inadvertently amplify the hidden content, causing disruptions in speech recognition or voice authentication systems.

Remediation

Users can update to vLLM version 0.18.0 or later, where this vulnerability has been addressed.