Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on image_grid_thw/video_grid_thw are affected. This vulnerability is fixed in 0.20.0.
Published: 2026-05-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vLLM, an inference engine for large language models, contains a token injection flaw in its multimodal processing from version 0.6.1 up to 0.19.x. When an unauthenticated prompt includes special tokens that map to image or video placeholder sequences that lack actual data, the engine attempts to index into empty grids. This raises an unhandled IndexError, causing the worker to crash or become unavailable, thereby denying service to legitimate users. The flaw is a classic example of CWE‑129, improper validation of array indices.

Affected Systems

Vendors affected are the vllm‑project, specifically the vLLM inference and serving engine. Any deployments using vLLM versions between 0.6.1 inclusive and before 0.20.0 are susceptible. The vulnerability impacts multimodal paths that utilize image_grid_thw or video_grid_thw components.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high severity, while the EPSS score is not available, suggesting no public exploitation data. The flaw is not currently listed in CISA’s KEV catalog. Attackers can exploit the vulnerability remotely by sending a crafted text prompt containing the special token placeholders to an exposed vLLM endpoint. No authentication is required, making any publicly reachable instance a potential target. Successful exploitation would result in worker termination or degraded availability until the service is restarted.

Generated by OpenCVE AI on May 12, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.20.0 or later, where the placeholder handling has been fixed.
  • If upgrading is not immediately possible, disable multimodal processing that relies on image_grid_thw or video_grid_thw or reject prompts containing the vulnerable special token placeholders.
  • Implement input validation to reject or sanitize special token placeholders before they reach the processing layer.
  • Monitor the service for IndexError logs and restart workers automatically to mitigate temporary availability loss.

Generated by OpenCVE AI on May 12, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hpv8-x276-m59f vLLM Vulnerable to Remote DoS via Special-Token Placeholders
History

Thu, 14 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Wed, 13 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on image_grid_thw/video_grid_thw are affected. This vulnerability is fixed in 0.20.0.
Title vLLM: Remote DoS via Special-Token Placeholders
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Vllm Vllm
Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T12:24:53.560Z

Reserved: 2026-05-05T15:42:40.518Z

Link: CVE-2026-44222

cve-icon Vulnrichment

Updated: 2026-05-13T12:24:49.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:43.160

Modified: 2026-05-14T15:38:19.560

Link: CVE-2026-44222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses