CVE-2026-54236
Analyzed Analyzed - Analysis Complete

Memory Address Leak in vLLM via Image Handling

Vulnerability report for CVE-2026-54236, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vllm vllm to 0.23.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects vLLM, an inference and serving engine for large language models. Before version 0.23.1rc0, a fix for a previous issue (CVE-2026-22778) was incomplete. Specifically, some response paths in the software send error messages directly to clients without properly sanitizing them. These error messages can include memory addresses from the server's heap, which are leaked because the sanitize_message helper is not called in these cases.

An unauthenticated attacker can exploit this by sending malformed image bytes through the Anthropic Messages API. This causes an error (UnidentifiedImageError) that includes a memory address in its message, which is then exposed in the response body. This leak of heap memory addresses can reveal sensitive internal information about the server.

The vulnerability is fixed in version 0.23.1rc0 by ensuring all error messages are properly sanitized before being sent to clients.

Impact Analysis

This vulnerability can impact you by leaking internal memory addresses of the server to unauthenticated attackers. Such information disclosure can aid attackers in further exploiting the system by providing insights into the server's memory layout.

Although the vulnerability does not directly allow modification or denial of service, the information leak can be a stepping stone for more severe attacks.

Since the vulnerability can be exploited remotely without authentication, it increases the risk exposure of systems running vulnerable versions of vLLM.

Mitigation Strategies

To mitigate this vulnerability, upgrade vLLM to version 0.23.1rc0 or later, where the issue is fixed.

The vulnerability arises because several response paths bypass the sanitize_message helper, allowing memory addresses to leak in error messages. Ensuring you are running the fixed version will prevent this information leakage.

Compliance Impact

This vulnerability involves the exposure of sensitive memory addresses in error messages returned by the vLLM Anthropic API router and related endpoints. Such leakage of sensitive information can be classified under CWE-532 (sensitive information exposure).

Exposure of sensitive internal memory addresses could potentially increase the risk of further exploitation, which may impact the confidentiality and integrity of data processed by the system.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, leaking sensitive internal information could be considered a violation of data protection principles under these regulations, especially if such information could lead to unauthorized access or compromise of personal data.

Therefore, organizations using affected versions of vLLM should consider this vulnerability as a risk to compliance with data protection regulations and apply the provided fixes promptly to mitigate exposure.

Detection Guidance

This vulnerability can be detected by monitoring the error responses from the Anthropic API router endpoints, the Server-Sent Events streaming converter, and the realtime speech-to-text WebSocket connections in the vLLM service. Specifically, look for error messages that contain raw memory addresses, such as representations of BytesIO objects (e.g., <_io.BytesIO object at 0x7a95e299e750>) in the response body.

To detect this on your system, you can send malformed image data to the affected API endpoints (POST /v1/messages and POST /v1/messages/count_tokens) and observe if the error responses leak memory addresses in their messages.

Example commands to test this might include using curl or similar HTTP clients to send malformed image bytes to the Anthropic API endpoints and inspecting the JSON error responses for unsanitized memory addresses.

  • curl -X POST https://your-vllm-instance/v1/messages -H 'Content-Type: application/json' -d '{"image_content": "malformed_image_bytes_here"}'
  • curl -X POST https://your-vllm-instance/v1/messages/count_tokens -H 'Content-Type: application/json' -d '{"image_content": "malformed_image_bytes_here"}'

After sending such requests, check the response body for error messages containing raw memory addresses or BytesIO object representations, which indicate the vulnerability is present.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart