Description
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
Published: 2026-01-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A specially crafted 1x1 pixel image can be supplied to the Idefics3 vision model implementation within vLLM, causing a tensor dimension mismatch that triggers an unhandled runtime error. The error results in the termination of the entire server process, denying all legitimate requests. The flaw is classified under CWE-770, indicating a denial‑of‑service vulnerability due to improper resource management.

Affected Systems

vLLM, released by the vllm-project, is affected in versions ranging from 0.6.4 up to but not including 0.12.0. The vulnerability applies to the multimodal model handling pathways that engage the Idefics3 vision component.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as a moderate severity vulnerability. The EPSS score of less than 1% indicates a low likelihood of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, where an attacker can send a crafted image via the exposed API endpoints to trigger the crash. An unpatched server could experience repeated service outages until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 07:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.12.0 or later to eliminate the tensor mismatch flaw.
  • Restrict or disable the multimodal endpoints that use Idefics3 until the upgrade is complete to prevent attackers from sending malicious payloads.
  • Implement request validation that rejects images with dimensions below a minimum threshold, such as smaller than 2x2 pixels, to mitigate accidental or intentional exploitation before a patch can be applied.

Generated by OpenCVE AI on April 18, 2026 at 07:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-grg2-63fw-f2qr vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions
History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 12 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 10 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
Title vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Vllm Vllm
Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T13:22:52.666Z

Reserved: 2026-01-09T18:27:19.387Z

Link: CVE-2026-22773

cve-icon Vulnrichment

Updated: 2026-01-12T13:22:49.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T07:16:03.527

Modified: 2026-01-27T21:03:47.017

Link: CVE-2026-22773

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T06:39:02Z

Links: CVE-2026-22773 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses