cbcvebase.
CVE-2026-22773
published 2026-01-10

CVE-2026-22773: vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.40%
32.2th percentile
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
vllm-projectvllm
vllmvllm>= 0.6.4 < 0.12.00.12.0
vllmvllm>= 0.6.4 < 0.12.00.12.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.