NVIDIA Optimized Frameworks

SGLang Release 26.05

This SGLang container release is intended for use on the NVIDIA® Hopper Architecture GPU, NVIDIA H100, the NVIDIA® Ampere Architecture GPU, NVIDIA A100, and the associated NVIDIA CUDA® 12 and NVIDIA cuDNN 9 libraries. The NVIDIA container image for the SGLang release is available on NGC.

Contents of the SGLang container

This container image contains the complete source of the version of SGLang in /opt/sglang. It is pre-built and installed in the Python default environment/usr/local/lib/python3.12/dist-packages/sglang/in the container image. Visit SGLang Docs to learn more about SGLang.

The NVIDIA SGLang Container is optimized for use with NVIDIA GPUs, and contains the following software for GPU acceleration.

  • Please see the CUDA section for the list of libraries inherited from CUDA container.
  • NVIDIA CUDA 13.2.1.009
  • SGLang 0.5.11
  • flashinfer 0.6.10
  • transformers 5.6.0
  • flash-attention 2.7.4.post1
  • xgrammar 0.1.32
  • Torch 2.12.0a0+5aff3928d8

Driver Requirements

Release 26.05 is based on CUDA 13.2.1 For comprehensive and up-to-date driver compatibility information, please refer to the following documentation:

Key Features and Enhancements

This SGLang release includes the following key features and enhancements.

  • Support for multi-node configurations.

  • GB300/B300 support.
  • RTX PRO™ 6000 Blackwell Server Edition support.
  • DGX Spark support.

  • Jetson Thor support.
  • Support for 8-bit floating point (FP8) precision on Hopper GPUs and above.
  • Support NVIDIA innovative 4-bit floating point NVFP4 format on Blackwell GPUs (including Jetson Thor and DGX Spark), which provides better training and inference performance with lower memory utilization.

  • Supported for DeepSeek-R1, Llama-3.1-8B-Instruct.
  • Support for openai/gpt-oss-20b and openai/gpt-oss-120b.
  • Support for Nemotron-3 Nano Omni
  • Qwen3.6-35B-A3B-FP8

Announcements

  • None.

Known Issues

  • MTP is not supported for NVIDIA-Nemotron-3-Super models.
  • There is a known issue with Phi 4 Multimodal Instruct FP8.
  • The 26.05 SGLang container release includes 5 vulnerabilities (CVEs). See the details below:
    • CVE-2026-6100
      • The use-after-free only triggers if a lzma / bz2 / gzip decompressor instance is re-used after a MemoryError under memory pressure. The AWS CLI bundled in the container uses one-shot decompression helpers and is not on the container's training / inference path, so the vulnerable condition is not reached.
    • CVE-2026-7210
      • The vulnerable Python is only used by the AWS CLI bundled in the container as an operator-invoked tool — it is not exposed as a network service and the container's training / inference workloads do not invoke it. Customers using AWS CLI should only point it at trusted AWS endpoints and avoid feeding it XML from untrusted sources.
    • CVE-2026-7302
      • The path traversal is only exploitable via the multimodal image/video upload endpoints, if the caller constructs target_path by joining the client-supplied multipart filename directly into the uploads directory, without sanitization. Restrict access to SGLang's HTTP API to trusted clients. Block external access to the upload endpoints at the network or reverse-proxy layer.
    • CVE-2026-7304
      • The vulnerability is only exploitable when --enable-custom-logit-processor is set. Do not enable this flag unless the generation endpoint is restricted to fully trusted clients. If the flag must be enabled, isolate the SGLang instance from untrusted network access via firewall or network policy.
    • CVE-2026-7301
      • The scheduler socket is only reachable when SGLang is launched with --host 0.0.0.0 (as is done in official SGLang examples). Do not expose SGLang service interfaces to untrusted networks. Avoid network_mode: host in Docker deployments. Restrict scheduler socket access to trusted internal networks via firewall rules. Reviewed by human; approval flow automated using AI agent.

© Copyright 2026, NVIDIA. Last updated on Jul 9, 2026