cbcvebase.
CVE-2026-22778
published 2026-02-02

CVE-2026-22778: vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.82%
88.7th percentile
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

Affected

18 ranges
VendorProductVersion rangeFixed in
rhaiivllm-cpu-rhel9
rhaiivllm-cuda-rhel9
rhaiivllm-gaudi-rhel9
rhaiivllm-rocm-rhel9
rhaiivllm-spyre-rhel9
rhelai3bootc-aws-cuda-rhel9
rhelai3bootc-azure-cuda-rhel9
rhelai3bootc-azure-rocm-rhel9
rhelai3bootc-cuda-rhel9
rhelai3bootc-gaudi-rhel9
rhelai3bootc-gcp-cuda-rhel9
rhelai3bootc-rocm-rhel9
rhoaiodh-vllm-gaudi-rhel9
vllm-projectvllm< 0.23.1rc00.23.1rc0
vllmvllm< 0.23.10.23.1
vllmvllm0 – 0.23.0
vllmvllm>= 0.8.3 < 0.14.10.14.1
vllmvllm>= 0.8.3 < 0.14.10.14.1

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /v1/messages
urlPOST /v1/messages/count_tokens
pathvllm/entrypoints/anthropic/api_router.py
pathvllm/entrypoints/anthropic/serving.py
pathvllm/entrypoints/speech_to_text/realtime/connection.py
othershodan-query: http.html:"/v1/models" http.html:"vllm"
bytes
_io.BytesIO object at 0x
  • Exploit request targets POST /v1/messages with a malformed base64-encoded image payload (non-image bytes) in the 'image' content part to trigger PIL.Image.open UnidentifiedImageError and leak heap address in the response body.
  • Probe for vLLM presence first via GET /v1/models and check for JSON 'id' field before sending the exploit payload to POST /v1/messages.
  • WebSocket endpoint vllm/entrypoints/speech_to_text/realtime/connection.py is also vulnerable; WebSocket frames bypass the FastAPI global exception handler entirely and echo str(exc) directly.
  • The leaked heap address in the error response reduces ASLR from ~4 billion guesses to ~8 guesses, enabling reliable chaining with heap overflow for RCE.
  • ·The parent CVE-2026-22778 fix added sanitize_message only to the OpenAI router; the Anthropic-compatible router (/v1/messages) and WebSocket paths were missed, meaning deployments that believed they were patched after 0.14.1 remain vulnerable until 0.23.1rc0.
  • ·The vulnerability is exploitable by unauthenticated attackers — no credentials or prior access are required to trigger the heap address leak via the Anthropic Messages API.
  • ·Red Hat AI Inference Server packages rhaiis/* are listed as 'Not affected'; only rhaii/* and rhelai3/* packages have deferred fixes, so Red Hat-based deployments should verify exact package lineage before assuming exposure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.