{"api_version":"1","generated_at":"2026-06-27T18:33:03+00:00","cve":"CVE-2026-22778","urls":{"html":"https://cve.report/CVE-2026-22778","api":"https://cve.report/api/cve/CVE-2026-22778.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-22778","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-22778"},"summary":{"title":"vLLM leaks a heap address when PIL throws an error","description":"vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-02-02 23:16:06","updated_at":"2026-06-27 05:16:42"},"problem_types":["CWE-532","CWE-209","CWE-532 CWE-532: Insertion of Sensitive Information into Log File","CWE-209 Generation of Error Message Containing Sensitive Information"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/vllm-project/vllm/pull/31987","name":"https://github.com/vllm-project/vllm/pull/31987","refsource":"security-advisories@github.com","tags":["Issue Tracking","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:3462","name":"https://access.redhat.com/errata/RHSA-2026:3462","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-22778","name":"https://access.redhat.com/security/cve/CVE-2026-22778","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436113","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2436113","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:3782","name":"https://access.redhat.com/errata/RHSA-2026:3782","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/pull/32319","name":"https://github.com/vllm-project/vllm/pull/32319","refsource":"security-advisories@github.com","tags":["Issue Tracking","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv","name":"https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:3713","name":"https://access.redhat.com/errata/RHSA-2026:3713","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:19712","name":"https://access.redhat.com/errata/RHSA-2026:19712","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22778.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22778.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/releases/tag/v0.14.1","name":"https://github.com/vllm-project/vllm/releases/tag/v0.14.1","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:3461","name":"https://access.redhat.com/errata/RHSA-2026:3461","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-22778","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22778","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"vllm-project","product":"vllm","version":"affected >= 0.8.3, < 0.14.1","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat AI Inference Server 3.2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI 2.25","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI 3.3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat AI Inference Server","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI (RHOAI)","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-03T00:01:43.512Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-02T21:09:53.265Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:3461: Red Hat AI Inference Server 3.2","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:3462: Red Hat AI Inference Server 3.2","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:3782: Red Hat OpenShift AI 2.25","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:19712: Red Hat OpenShift AI 3.3","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:3713: Red Hat OpenShift AI 3.3","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"22778","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vllm","cpe5":"vllm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-22778","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-02-03T15:40:34.684022Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-03T15:42:57.155Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:ai_inference_server:3.2::el9"],"defaultStatus":"affected","product":"Red Hat AI Inference Server 3.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:3.3::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 3.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-02-02T21:09:53.265Z","descriptions":[{"lang":"en","value":"A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this vulnerability by sending a specially crafted video URL to vLLM's multimodal endpoint. This action causes vLLM to leak a heap memory address, significantly reducing the effectiveness of Address Space Layout Randomization (ASLR). This information disclosure can then be chained with a heap overflow vulnerability to achieve remote code execution."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Critical"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-209","description":"Generation of Error Message Containing Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-27T04:05:13.095Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-22778"},{"name":"RHBZ#2436113","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436113"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22778.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3461"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3462"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3782"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3713"}],"solutions":[{"lang":"en","value":"RHSA-2026:3461: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:3462: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:3782: Red Hat OpenShift AI 2.25"},{"lang":"en","value":"RHSA-2026:19712: Red Hat OpenShift AI 3.3"},{"lang":"en","value":"RHSA-2026:3713: Red Hat OpenShift AI 3.3"}],"timeline":[{"lang":"en","time":"2026-02-03T00:01:43.512Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-02T21:09:53.265Z","value":"Made public."}],"title":"vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"vllm","vendor":"vllm-project","versions":[{"status":"affected","version":">= 0.8.3, < 0.14.1"}]}],"descriptions":[{"lang":"en","value":"vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-532","description":"CWE-532: Insertion of Sensitive Information into Log File","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-02T21:09:53.265Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv","tags":["x_refsource_CONFIRM"],"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv"},{"name":"https://github.com/vllm-project/vllm/pull/31987","tags":["x_refsource_MISC"],"url":"https://github.com/vllm-project/vllm/pull/31987"},{"name":"https://github.com/vllm-project/vllm/pull/32319","tags":["x_refsource_MISC"],"url":"https://github.com/vllm-project/vllm/pull/32319"},{"name":"https://github.com/vllm-project/vllm/releases/tag/v0.14.1","tags":["x_refsource_MISC"],"url":"https://github.com/vllm-project/vllm/releases/tag/v0.14.1"}],"source":{"advisory":"GHSA-4r2x-xpjr-7cvv","discovery":"UNKNOWN"},"title":"vLLM leaks a heap address when PIL throws an error"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-22778","datePublished":"2026-02-02T21:09:53.265Z","dateReserved":"2026-01-09T18:27:19.388Z","dateUpdated":"2026-06-27T04:05:13.095Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-02 23:16:06","lastModifiedDate":"2026-06-27 05:16:42","problem_types":["CWE-532","CWE-209","CWE-532 CWE-532: Insertion of Sensitive Information into Log File","CWE-209 Generation of Error Message Containing Sensitive Information"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-03T15:40:34.684022Z","id":"CVE-2026-22778","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*","versionStartIncluding":"0.8.3","versionEndExcluding":"0.14.1","matchCriteriaId":"6EBA2094-B756-41D7-A899-8C028DF95FF4"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"22778","Ordinal":"1","Title":"vLLM leaks a heap address when PIL throws an error","CVE":"CVE-2026-22778","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"22778","Ordinal":"1","NoteData":"vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.","Type":"Description","Title":"vLLM leaks a heap address when PIL throws an error"}]}}}