Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Published: 2026-02-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when vLLM receives an invalid image through its multimodal endpoint; the underlying PIL library throws an error containing a heap address that is returned to the client. This exposure drastically weakens ASLR from billions of possibilities to approximately eight, constituting an information disclosure (CWE‑209). When chained with a JPEG2000 decoder in OpenCV/FFmpeg, the leaked address allows an attacker to trigger a heap overflow, resulting in remote code execution (CWE‑532).

Affected Systems

Affected versions of the vllm engine include all releases from 0.8.3 up to and including 0.14.0. The vllm-project’s official fix is incorporated in release 0.14.1 and applies to all later releases.

Risk and Exploitability

The CVSS v3.1 base score of 9.8 indicates a critical vulnerability, but the EPSS score of less than 1% suggests that exploitation is unlikely in the wild at present. The attack vector requires an attacker to send a crafted image to the multimodal endpoint, causing the PIL error and leaking the address. With the address known, the attacker can exploit the referenced JPEG2000 heap overflow to achieve remote code execution. The vulnerability is not listed in the CISA KEV catalog, yet its severity warrants immediate remediation.

Generated by OpenCVE AI on April 18, 2026 at 00:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.14.1 or later to eliminate the memory address leak.
  • If upgrading is infeasible, restrict or disable the multimodal endpoint so that only authenticated, trusted clients can access it.
  • Apply the latest OpenCV/FFmpeg patches that address the JPEG2000 heap overflow to block the chained exploitation.

Generated by OpenCVE AI on April 18, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4r2x-xpjr-7cvv vLLM has RCE In Video Processing
History

Mon, 23 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-209
References
Metrics threat_severity

None

 threat_severity

Critical

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Title vLLM leaks a heap address when PIL throws an error
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Vllm Vllm
Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:42:57.155Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22778

cve-icon Vulnrichment

Updated: 2026-02-03T15:42:51.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:06.700

Modified: 2026-02-23T18:19:12.450

Link: CVE-2026-22778

cve-icon Redhat

Severity : Critical

Publid Date: 2026-02-02T21:09:53Z

Links: CVE-2026-22778 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses