CRITICAL🇵🇱 Wersja polska

CVE-2026-22778

CVSS 9.8v3.1pub. 2026-02-02upd. 2026-06-29

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

🤖 AI Analysis
How it works

When an invalid image is uploaded to vLLM's multimodal endpoint, the PIL library raises an exception that vLLM returns directly to the client — exposing the process heap memory address in the error message content (CWE-532: exposure of sensitive information to logs/responses). Knowing the heap address, the attacker reduces the ASLR randomness space from approximately 4 billion possibilities to only about 8. The memory layout knowledge obtained this way allows the attacker to reliably conduct the second stage of the attack — an exploit leveraging a heap overflow (heap overflow) in the JPEG2000 decoder available through OpenCV or FFmpeg. The combination of both techniques enables remote code execution without any authentication.

Impact

An unauthenticated remote attacker can gain full control over the vLLM process, leading to confidentiality, integrity, and availability compromise of the system — including potential takeover of the host running LLM models.

Mitigation & patch

Update vLLM to version 0.14.1 or later, where the vulnerability has been fixed. Details are available in the official project references and advisory GHSA-4r2x-xpjr-7cvv.

Who is affected

vLLM versions 0.8.3 through 0.14.0 (inclusive) — installations using multimodal endpoints that accept images are excluded.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vllm

    APP
    Vllm
    0.8.3 – 0.14.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2026-48746CRITICAL9.1PL ✓ten sam produkt

Pominięcie uwierzytelnienia w vLLM — bypass klucza API OpenAI

CVE-2025-47277CRITICAL9.8PL ✓ten sam produkt

vLLM: niezamierzone nasłuchiwanie TCPStore na wszystkich interfejsach sieciowych

CVE-2025-32444CRITICAL10.0PL ✓ten sam produkt

RCE w vLLM poprzez deserializację pickle na niezabezpieczonych gniazdach ZeroMQ

CVE-2024-11041CRITICAL9.8PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w vllm MessageQueue.dequeue()

CVE-2025-29783CRITICAL9.0PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w vLLM z Mooncake (ZMQ/TCP)