CVE-2026-22778

vLLM leaks a heap address when PIL throws an error

CVSS 9.8 CRITICALEPSS 3.3%CWE-532

In short

vLLM leaks a memory address when processing invalid images, which helps attackers bypass a security protection (ASLR) and can lead to remote code execution when combined with other vulnerabilities.

Technical detail

When PIL encounters an invalid image on vLLM's multimodal endpoint (versions 0.8.3–0.14.0), the error message containing a heap address is returned to the client, reducing ASLR entropy from 2^32 to ~8 possibilities. This information disclosure can be chained with heap overflow vulnerabilities in image decoders (JPEG2000 in OpenCV/FFmpeg) to achieve RCE.

Summary generated and translated by AI from the official description.

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

vllm-project · vllm

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vllm-project/vllm/pull/31987 https://github.com/vllm-project/vllm/pull/32319 https://github.com/vllm-project/vllm/releases/tag/v0.14.1 https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv