Impact
vLLM versions from 0.10.2 up to, but not including, 0.13.0 tensor indices used in multimodal embeddings. An attacker that can submit crafted embedding requests can provision tensors with negative or out‑of‑bounds indices, provoking flaw is rooted in improper input validation (CWE‑20) and may also lead to out‑of‑bounds memory corruption.
Affected Systems
The vulnerability affects the vLLM library released by vLLM. All installations using versions 0.10.2 through 0.12.x that have the prompt‑embeds feature enabled are impacted. Versions prior to 0.10.2 and 0.13.0 or later are not affected.
Risk and Exploitability
The CVSS score of 8.7 classifies the flaw as High severity. The EPSS score of <1% indicates a very low but nonzero probability of exploitation. The flaw is not currently listed in CISA KEV. Based on the description, it is inferred that attackers can exploit it from any network location that can send HTTP requests to the vLLM service by providing malicious multimodal embedding data. This and potentially expose memory safety vulnerabilities.
OpenCVE Enrichment