This work addresses a critical security vulnerability in large language model (LLM) serving systems: shared key-value (KV) cache blocks lack integrity protection and are susceptible to bit-flip attacks, which can silently corrupt model outputs without detection. Through software fault injection and bit-level analysis of BF16 representations, the study reveals three previously unknown vulnerabilities—silent divergence, selective propagation, and persistent accumulation—specifically under vLLM’s prefix caching mechanism. To mitigate this threat, the authors propose a lightweight checksum-based defense that detects any single-bit error during the scheduling phase, effectively confining the impact of corruption to a single batch and preventing error propagation across requests. Experimental results demonstrate that even a single bit flip can induce subtle yet persistent output deviations, while the proposed mechanism significantly enhances system robustness with minimal performance overhead.

Rowhammer on GPU DRAM has enabled adversarial bit flips in model weights; shared KV-cache blocks in LLM serving systems present an analogous but previously unexamined target. In vLLM's Prefix Caching, these blocks exist as a single physical copy without integrity protection. Using software fault injection under ideal bit targeting, we characterize worst-case severity and identify three properties: (1) Silent divergence - 13 of 16 BF16 bit positions produce coherent but altered outputs, indistinguishable from legitimate responses without a clean baseline. (2) Selective propagation - only requests sharing the targeted prefix are affected. (3) Persistent accumulation - no temporal decay occurs, so cumulative damage grows linearly with subsequent requests. Together, these constitute a threat profile distinct from weight corruption: silent divergence and selective propagation enable detection evasion; persistent accumulation then proceeds unchecked, yielding damage amplification bounded only by how long the block remains cached. A checksum-based countermeasure detects any single-bit corruption at scheduling time, bounding cumulative damage to one batch independent of the block's cache lifetime, with negligible overhead. These results argue for integrity protection of prefix blocks before end-to-end exploitation is demonstrated.