CVE-2026-22778
published 2026-02-02CVE-2026-22778: vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.82%
88.7th percentile
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhaii | vllm-cpu-rhel9 | — | — |
| rhaii | vllm-cuda-rhel9 | — | — |
| rhaii | vllm-gaudi-rhel9 | — | — |
| rhaii | vllm-rocm-rhel9 | — | — |
| rhaii | vllm-spyre-rhel9 | — | — |
| rhelai3 | bootc-aws-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-rocm-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-gcp-cuda-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhoai | odh-vllm-gaudi-rhel9 | — | — |
| vllm-project | vllm | < 0.23.1rc0 | 0.23.1rc0 |
| vllm | vllm | < 0.23.1 | 0.23.1 |
| vllm | vllm | 0 – 0.23.0 | — |
| vllm | vllm | >= 0.8.3 < 0.14.1 | 0.14.1 |
| vllm | vllm | >= 0.8.3 < 0.14.1 | 0.14.1 |
Detection & IOCsextracted from sources · hover to see the quote
othershodan-query: http.html:"/v1/models" http.html:"vllm"
bytes
_io.BytesIO object at 0x
- →Exploit request targets POST /v1/messages with a malformed base64-encoded image payload (non-image bytes) in the 'image' content part to trigger PIL.Image.open UnidentifiedImageError and leak heap address in the response body. ↗
- →Probe for vLLM presence first via GET /v1/models and check for JSON 'id' field before sending the exploit payload to POST /v1/messages.
- →WebSocket endpoint vllm/entrypoints/speech_to_text/realtime/connection.py is also vulnerable; WebSocket frames bypass the FastAPI global exception handler entirely and echo str(exc) directly. ↗
- →The leaked heap address in the error response reduces ASLR from ~4 billion guesses to ~8 guesses, enabling reliable chaining with heap overflow for RCE. ↗
- ·The parent CVE-2026-22778 fix added sanitize_message only to the OpenAI router; the Anthropic-compatible router (/v1/messages) and WebSocket paths were missed, meaning deployments that believed they were patched after 0.14.1 remain vulnerable until 0.23.1rc0.
- ·The vulnerability is exploitable by unauthenticated attackers — no credentials or prior access are required to trigger the heap address leak via the Anthropic Messages API. ↗
- ·Red Hat AI Inference Server packages rhaiis/* are listed as 'Not affected'; only rhaii/* and rhelai3/* packages have deferred fixes, so Red Hat-based deployments should verify exact package lineage before assuming exposure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vllm: vLLM: Information Disclosure via Incomplete Error Message Sanitization
vendor_redhat·2026-06-22·CVSS 9.8
CVE-2026-54236 [CRITICAL] CWE-209 vllm: vLLM: Information Disclosure via Incomplete Error Message Sanitization
vllm: vLLM: Information Disclosure via Incomplete Error Message Sanitization
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These
Red Hat
vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.
vendor_redhat·2026-02-02·CVSS 9.8
CVE-2026-22778 [CRITICAL] CWE-209 vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.
vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this vulnerability by sending a specially crafted video URL to vLLM's multimodal endpoint. This action cau
GHSA
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
ghsa·2026-06-17·CVSS 9.8
CVE-2026-54236 [CRITICAL] CWE-532 vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
# vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API router
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Severity:** CVSS 3.1 5.3 (Medium) `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
**Target:** https://github.com/vllm-project/vllm
---
## Summary
The fix for CVE-2026-22778 / GHSA-4r2x-xpjr-7cvv (PRs #31987 and #32319) introduced `sanitize_message` and applied it at four FastAPI exception-handling sites in the OpenAI router. The sanitizer strips object-repr memory addresses (`` → ``) before error messages reach the client, defeating the ASLR-bypass primitive that CVE-2026-22778 chained with a libopenjp2 heap overflow for RCE.
OSV
vLLM has RCE In Video Processing
osv·2026-02-02
CVE-2026-22778 [CRITICAL] vLLM has RCE In Video Processing
vLLM has RCE In Video Processing
## Summary
**A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):**
1. **Info Leak** - PIL error messages expose memory addresses, bypassing ASLR
2. **Heap Overflow** - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code execution
**Result:** Send a malicious video URL to vLLM Completions or Invocations **for a video model** -> Execute arbitrary commands on the server
Completely default vLLM instance directly from pip, or docker, does not have authentication so "None" privileges are required, but even with non-default api-key enabled configuration this exploit is feasible through invocations route that allows payload to execute pre-auth.
Example heap target is provided, other heap targets can be exploited as
GHSA
vLLM has RCE In Video Processing
ghsa·2026-02-02
CVE-2026-22778 [CRITICAL] CWE-122 vLLM has RCE In Video Processing
vLLM has RCE In Video Processing
## Summary
**A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):**
1. **Info Leak** - PIL error messages expose memory addresses, bypassing ASLR
2. **Heap Overflow** - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code execution
**Result:** Send a malicious video URL to vLLM Completions or Invocations **for a video model** -> Execute arbitrary commands on the server
Completely default vLLM instance directly from pip, or docker, does not have authentication so "None" privileges are required, but even with non-default api-key enabled configuration this exploit is feasible through invocations route that allows payload to execute pre-auth.
Example heap target is provided, other heap targets can be exploited as
No detection rules found.
Nuclei
vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak
nuclei·CVSS 9.8
CVE-2026-54236 [CRITICAL] vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak
vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak
vLLM <= 0.23.0 incompletely fixes CVE-2026-22778. The original fix added sanitize_message to the OpenAI router but the Anthropic-compatible router (/v1/messages) echoes str(exc) directly.
Template:
id: CVE-2026-54236
info:
name: vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak
author: kenlacroix
severity: medium
description: |
vLLM <= 0.23.0 incompletely fixes CVE-2026-22778. The original fix added sanitize_message to the OpenAI router but the Anthropic-compatible router (/v1/messages) echoes str(exc) directly.
impact: |
Remote attackers can leak heap addresses, significantly reducing ASLR effectiveness and enabling further exploitation like remote code execution.
remediation: |
Update to vllm version to lat
Bugzilla
CVE-2026-54236 vllm: vLLM: Information Disclosure via Incomplete Error Message Sanitization
bugzilla·2026-06-22·CVSS 9.8
CVE-2026-54236 [CRITICAL] CVE-2026-54236 vllm: vLLM: Information Disclosure via Incomplete Error Message Sanitization
CVE-2026-54236 vllm: vLLM: Information Disclosure via Incomplete Error Message Sanitization
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connec
Wiz
CVE-2026-22778 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22778 [CRITICAL] CVE-2026-22778 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22778 :
Chainguard vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Source : NVD
## 9.8
Score
Published February 2, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Chainguard
vLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
https://github.com/vllm-project/vllm/pull/31987https://github.com/vllm-project/vllm/pull/32319https://github.com/vllm-project/vllm/releases/tag/v0.14.1https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvvhttps://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:30087https://access.redhat.com/errata/RHSA-2026:30088https://access.redhat.com/errata/RHSA-2026:30089https://access.redhat.com/errata/RHSA-2026:3461https://access.redhat.com/errata/RHSA-2026:3462https://access.redhat.com/errata/RHSA-2026:3713https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/security/cve/CVE-2026-22778https://bugzilla.redhat.com/show_bug.cgi?id=2436113https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22778.json
2026-02-02
Published