Impact
vLLM, an inference engine for large language models, exposes a critical flaw between versions 0.8.3 and 0.14.0. When an invalid image is submitted to its multimodal endpoint, the underlying PIL library throws an error that carries a stack‑level heap address. This address is returned to the client, turning an inadvertent information leak (CWE‑209) into a powerful observation that compresses the 4‑byte address space from billions of possibilities to only a handful of candidates. Because the leak reveals a precise memory location, an attacker can chain the exposure with a known JPEG2000 heap‑overflow bug in OpenCV or FFmpeg, ultimately achieving remote code execution (CWE‑532).
Affected Systems
The vllm‑project’s vLLM engine, as distributed through its open‑source repository, is vulnerable in all releases from 0.8.3 up to and including 0.14.0. The vulnerability is resolved in release 0.14.1 and applies to all later releases.
Risk and Exploitability
The CVSS v3.1 base score of 9.8 signals a critical risk, but the EPSS score of 3% indicates that, at present, widespread exploitation is unlikely. The attack requires an attacker to craft a specific image and send it to the multimodal endpoint, which will trigger the PIL error and expose the address. With the address known, the attacker may proceed to exploit the JPEG2000 heap overflow in a linked OpenCV/FFmpeg installation to execute arbitrary code. Because the vulnerability is not listed in the CISA KEV catalog, it has not yet been observed in the wild at scale, yet its severity and deployability warrant immediate action.
OpenCVE Enrichment
Github GHSA