{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22778", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T18:27:19.388Z", "datePublished": "2026-02-02T21:09:53.265Z", "dateUpdated": "2026-02-03T15:42:57.155Z"}, "containers": {"cna": {"title": "vLLM leaks a heap address when PIL throws an error", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv"}, {"name": "https://github.com/vllm-project/vllm/pull/31987", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/31987"}, {"name": "https://github.com/vllm-project/vllm/pull/32319", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/32319"}, {"name": "https://github.com/vllm-project/vllm/releases/tag/v0.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/releases/tag/v0.14.1"}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"version": ">= 0.8.3, < 0.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T21:09:53.265Z"}, "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1."}], "source": {"advisory": "GHSA-4r2x-xpjr-7cvv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:40:34.684022Z", "id": "CVE-2026-22778", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:42:57.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "vLLM leaks a heap address when PIL throws an error", "source": {"advisory": "GHSA-4r2x-xpjr-7cvv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"status": "affected", "version": ">= 0.8.3, < 0.14.1"}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vllm-project/vllm/pull/31987", "name": "https://github.com/vllm-project/vllm/pull/31987", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/pull/32319", "name": "https://github.com/vllm-project/vllm/pull/32319", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/releases/tag/v0.14.1", "name": "https://github.com/vllm-project/vllm/releases/tag/v0.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T21:09:53.265Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22778", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T15:40:34.684022Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-03T15:42:51.507Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-22778", "state": "PUBLISHED", "dateUpdated": "2026-02-02T21:09:53.265Z", "dateReserved": "2026-01-09T18:27:19.388Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T21:09:53.265Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EBA2094-B756-41D7-A899-8C028DF95FF4", "versionEndExcluding": "0.14.1", "versionStartIncluding": "0.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1."}, {"lang": "es", "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLM). Desde la versi\u00f3n 0.8.3 hasta antes de la 0.14.1, cuando se env\u00eda una imagen inv\u00e1lida al endpoint multimodal de vLLM, PIL lanza un error. vLLM devuelve este error al cliente, filtrando una direcci\u00f3n de mont\u00edculo. Con esta fuga, reducimos ASLR de 4 mil millones de intentos a ~8 intentos. Esta vulnerabilidad puede encadenarse a un desbordamiento de mont\u00edculo con el decodificador JPEG2000 en OpenCV/FFmpeg para lograr ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.14.1."}], "id": "CVE-2026-22778", "lastModified": "2026-02-23T18:19:12.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:06.700", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vllm-project/vllm/pull/31987"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vllm-project/vllm/pull/32319"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vllm-project/vllm/releases/tag/v0.14.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.", "id": "2436113", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436113"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-209", "details": ["vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.", "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this vulnerability by sending a specially crafted invalid image to vLLM's multimodal endpoint. This action causes vLLM to leak a heap memory address, significantly reducing the effectiveness of Address Space Layout Randomization (ASLR). This information disclosure can then be chained with a heap overflow vulnerability to achieve remote code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-22778", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis-preview/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-cpu-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-cuda-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-02T21:09:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22778\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22778\nhttps://github.com/vllm-project/vllm/pull/31987\nhttps://github.com/vllm-project/vllm/pull/32319\nhttps://github.com/vllm-project/vllm/releases/tag/v0.14.1\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv"], "statement": "This vulnerability is rated Critical rather than Important because it allows unauthenticated remote code execution without requiring user interaction, ultimately leading to full compromise of the affected system. An attacker can provide a malicious video URL to a vulnerable vLLM inference endpoint, which causes the service to automatically retrieve and process attacker-controlled media content. During decoding, a heap overflow is triggered in the underlying video processing stack, enabling corruption of heap memory and potential overwriting of control structures to execute arbitrary commands on the host. In addition, an information disclosure condition can leak memory addresses, significantly weakening ASLR protections and making exploitation more reliable when combined with the heap overflow. Successful exploitation compromises the confidentiality, integrity, and availability of the system and can impact deployments such as Red Hat AI Inference Server, Red Hat Enterprise Linux AI, and Red Hat OpenShift AI, thereby meeting Red Hat\u2019s criteria for Critical severity rather than Important impact.", "threat_severity": "Critical"}