CVE-2026-22773
Published: 10 January 2026
Summary
CVE-2026-22773 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Vllm Vllm. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Adversarial Attacks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-22773 is a denial-of-service vulnerability in vLLM, an inference and serving engine for large language models (LLMs). It affects versions from 0.6.4 to before 0.12.0, specifically when serving multimodal models that use the Idefics3 vision model implementation. The issue arises from a tensor dimension mismatch triggered by a specially crafted 1x1 pixel image, causing an unhandled runtime error that leads to complete server termination.
An attacker with network access and low privileges can exploit this remotely with low attack complexity and no user interaction. Exploitation results in high-impact availability disruption by crashing the vLLM engine, as reflected in its CVSS v3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The root cause is tracked as CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability has been addressed in vLLM version 0.12.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1865
Vulnerability details
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted…
more
1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Adversarial Attacks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llms, vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of public-facing vLLM inference service via crafted multimodal input triggers unhandled crash (CWE-770), directly enabling application-layer DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (including image tensors) to reject malformed 1x1 pixel data before it reaches the Idefics3 vision model path.
Mandates graceful error handling so that a tensor-dimension exception does not propagate to unhandled runtime termination of the vLLM engine.
Requires mechanisms to protect against denial-of-service conditions triggered by crafted inputs that exhaust or crash serving resources.