CVE-2026-54236
Received Received - Intake
Memory Address Leak in vLLM via Image Handling

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54236
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects vLLM, an inference and serving engine for large language models. Before version 0.23.1rc0, a fix for a previous issue (CVE-2026-22778) was incomplete. Specifically, some response paths in the software send error messages directly to clients without properly sanitizing them. These error messages can include memory addresses from the server's heap, which are leaked because the sanitize_message helper is not called in these cases.

An unauthenticated attacker can exploit this by sending malformed image bytes through the Anthropic Messages API. This causes an error (UnidentifiedImageError) that includes a memory address in its message, which is then exposed in the response body. This leak of heap memory addresses can reveal sensitive internal information about the server.

The vulnerability is fixed in version 0.23.1rc0 by ensuring all error messages are properly sanitized before being sent to clients.

Impact Analysis

This vulnerability can impact you by leaking internal memory addresses of the server to unauthenticated attackers. Such information disclosure can aid attackers in further exploiting the system by providing insights into the server's memory layout.

Although the vulnerability does not directly allow modification or denial of service, the information leak can be a stepping stone for more severe attacks.

Since the vulnerability can be exploited remotely without authentication, it increases the risk exposure of systems running vulnerable versions of vLLM.

Mitigation Strategies

To mitigate this vulnerability, upgrade vLLM to version 0.23.1rc0 or later, where the issue is fixed.

The vulnerability arises because several response paths bypass the sanitize_message helper, allowing memory addresses to leak in error messages. Ensuring you are running the fixed version will prevent this information leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart