Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Published: 2026-02-02
Score: 9.8 Critical
EPSS: 3.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vLLM, an inference engine for large language models, exposes a critical flaw between versions 0.8.3 and 0.14.0. When an invalid image is submitted to its multimodal endpoint, the underlying PIL library throws an error that carries a stack‑level heap address. This address is returned to the client, turning an inadvertent information leak (CWE‑209) into a powerful observation that compresses the 4‑byte address space from billions of possibilities to only a handful of candidates. Because the leak reveals a precise memory location, an attacker can chain the exposure with a known JPEG2000 heap‑overflow bug in OpenCV or FFmpeg, ultimately achieving remote code execution (CWE‑532).

Affected Systems

The vllm‑project’s vLLM engine, as distributed through its open‑source repository, is vulnerable in all releases from 0.8.3 up to and including 0.14.0. The vulnerability is resolved in release 0.14.1 and applies to all later releases.

Risk and Exploitability

The CVSS v3.1 base score of 9.8 signals a critical risk, but the EPSS score of 3% indicates that, at present, widespread exploitation is unlikely. The attack requires an attacker to craft a specific image and send it to the multimodal endpoint, which will trigger the PIL error and expose the address. With the address known, the attacker may proceed to exploit the JPEG2000 heap overflow in a linked OpenCV/FFmpeg installation to execute arbitrary code. Because the vulnerability is not listed in the CISA KEV catalog, it has not yet been observed in the wild at scale, yet its severity and deployability warrant immediate action.

Generated by OpenCVE AI on June 24, 2026 at 12:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.14.1 or newer, which removes the heap‑address leak.
  • If an upgrade is unavailable, restrict or disable the multimodal endpoint so that only authenticated, trusted clients can submit images.
  • Apply the latest security patches for OpenCV and FFmpeg that fix the JPEG2000 heap‑overflow flaw, preventing the chained exploitation.

Generated by OpenCVE AI on June 24, 2026 at 12:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4r2x-xpjr-7cvv vLLM has RCE In Video Processing
History

Mon, 23 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-209
References
Metrics threat_severity

None

threat_severity

Critical


Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Title vLLM leaks a heap address when PIL throws an error
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-15T01:19:16.712Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22778

cve-icon Vulnrichment

Updated: 2026-07-13T12:05:17.529Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:06.700

Modified: 2026-06-17T10:20:24.570

Link: CVE-2026-22778

cve-icon Redhat

Severity : Critical

Publid Date: 2026-02-02T21:09:53Z

Links: CVE-2026-22778 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:00:06Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information

  • CWE-532

    Insertion of Sensitive Information into Log File