CVE-2026-22778

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in vLLM allows attackers to leak heap memory addresses by sending invalid images to the multimodal endpoint, which reduces ASLR entropy and can be chained with a heap overflow in JPEG2000 decoders to achieve remote code execution. Systems running vLLM versions 0.8.3 through 0.14.0 with the multimodal endpoint enabled are affected. The vulnerability is particularly dangerous because it can lead to full system compromise.

💻 Affected Systems

Products:
  • vLLM
Versions: 0.8.3 to 0.14.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the multimodal endpoint enabled and accessible.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Information disclosure of heap memory addresses enabling more reliable exploitation of other vulnerabilities.

🟢

If Mitigated

Limited information disclosure without successful RCE due to additional security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires chaining with JPEG2000 decoder heap overflow for RCE, but information disclosure is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.14.1

Vendor Advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv

Restart Required: Yes

Instructions:

1. Update vLLM to version 0.14.1 or later using pip: pip install --upgrade vllm>=0.14.1
2. Restart all vLLM services
3. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable Multimodal Endpoint

all

Disable the vulnerable multimodal endpoint if not required

Configure vLLM to disable multimodal features in deployment settings

Network Segmentation

all

Restrict access to vLLM endpoints to trusted networks only

Use firewall rules to limit access to vLLM ports

🧯 If You Can't Patch

  • Implement strict input validation for image uploads
  • Deploy WAF rules to block malformed image requests

🔍 How to Verify

Check if Vulnerable:

Check vLLM version and verify if multimodal endpoint is enabled

Check Version:

python -c "import vllm; print(vllm.__version__)"

Verify Fix Applied:

Confirm vLLM version is 0.14.1 or later and test with invalid image uploads

📡 Detection & Monitoring

Log Indicators:

  • PIL error messages in logs
  • Invalid image upload attempts
  • Heap address disclosures in error responses

Network Indicators:

  • HTTP requests with malformed images to multimodal endpoints
  • Unusual error response patterns

SIEM Query:

source="vllm" AND ("PIL" OR "heap" OR "address") AND error

📊 Metadata

CVE ID: CVE-2026-22778
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This