CVE-2026-22778
Heap Address Leak in vLLM Multimodal Endpoint Enables RCE
Publication date: 2026-02-02
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vllm | vllm | From 0.8.3 (inc) to 0.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in vLLM versions from 0.8.3 to before 0.14.1. When an invalid image is sent to vLLM's multimodal endpoint, the Python Imaging Library (PIL) throws an error. vLLM returns this error to the client, which leaks a heap address. This leak significantly reduces the effectiveness of Address Space Layout Randomization (ASLR) from about 4 billion guesses to approximately 8 guesses. An attacker can chain this information leak with a heap overflow vulnerability in the JPEG2000 decoder of OpenCV/FFmpeg to achieve remote code execution. The vulnerability is fixed in version 0.14.1.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on systems running vulnerable versions of vLLM. By leaking a heap address, it allows attackers to bypass ASLR protections, making it easier to exploit a heap overflow in the JPEG2000 decoder of OpenCV/FFmpeg. Successful exploitation could allow attackers to execute arbitrary code remotely, potentially compromising the affected system's confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade vLLM to version 0.14.1 or later, where this vulnerability is fixed. Avoid sending invalid images to the vLLM multimodal endpoint until the update is applied.