Vulnerability Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vllm | Vllm | >= 0.8.3, < 0.14.1 |
Related Weaknesses (CWE)
References
- https://github.com/vllm-project/vllm/pull/31987Issue TrackingPatch
- https://github.com/vllm-project/vllm/pull/32319Issue TrackingPatch
- https://github.com/vllm-project/vllm/releases/tag/v0.14.1Release Notes
- https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvvVendor Advisory
FAQ
What is CVE-2026-22778?
CVE-2026-22778 is a vulnerability with a CVSS score of 9.8 (CRITICAL). vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns th...
How severe is CVE-2026-22778?
CVE-2026-22778 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-22778?
Check the references section above for vendor advisories and patch information. Affected products include: Vllm Vllm.