vLLM leaks a heap address when PIL throws an error

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

Basic Information

ID CVE-2026-22778

Source GitHub_M

Published Feb 2, 2026 at 21:09

Affected Product

Vendor vllm-project

Product vllm

Version >= 0.8.3, < 0.14.1

Affected Versions vllm-project vllm >= 0.8.3, < 0.14.1

CWE Classification

CWE-532

References

{
    "lastseen": "",
    "description": "vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.",
    "published": "2026-02-02T21:09:53.265Z",
    "modified": "2026-02-02T21:09:53.265Z",
    "type": "cve",
    "title": "vLLM leaks a heap address when PIL throws an error",
    "source": "GitHub_M",
    "references": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv\nhttps://github.com/vllm-project/vllm/pull/31987\nhttps://github.com/vllm-project/vllm/pull/32319\nhttps://github.com/vllm-project/vllm/releases/tag/v0.14.1",
    "id": "CVE-2026-22778",
    "bulletinFamily": "",
    "cwe": [
        "CWE-532"
    ],
    "cvelist": null,
    "sourceData": "vllm-project vllm >= 0.8.3, < 0.14.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vllm",
    "version": ">= 0.8.3, < 0.14.1",
    "vendor": "vllm-project",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

vLLM leaks a heap address when PIL throws an error_CVE-2026-22778