Cyber Resilience

CVE-2026-22773

MediumPublic PoCDDoS

Published: 10 January 2026

Published
10 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22773 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Vllm Vllm. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Adversarial Attacks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-22773 is a denial-of-service vulnerability in vLLM, an inference and serving engine for large language models (LLMs). It affects versions from 0.6.4 to before 0.12.0, specifically when serving multimodal models that use the Idefics3 vision model implementation. The issue arises from a tensor dimension mismatch triggered by a specially crafted 1x1 pixel image, causing an unhandled runtime error that leads to complete server termination.

An attacker with network access and low privileges can exploit this remotely with low attack complexity and no user interaction. Exploitation results in high-impact availability disruption by crashing the vLLM engine, as reflected in its CVSS v3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The root cause is tracked as CWE-770 (Allocation of Resources Without Limits or Throttling).

The vulnerability has been addressed in vLLM version 0.12.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr.

EU & UK References

Vulnerability details

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted…

more

1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Adversarial Attacks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of public-facing vLLM inference service via crafted multimodal input triggers unhandled crash (CWE-770), directly enabling application-layer DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22778Same product: Vllm Vllm
CVE-2026-25960Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2025-29783Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm
CVE-2026-24779Same product: Vllm Vllm
CVE-2024-11041Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm

Affected Assets

vllm
vllm
0.6.4 — 0.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (including image tensors) to reject malformed 1x1 pixel data before it reaches the Idefics3 vision model path.

prevent

Mandates graceful error handling so that a tensor-dimension exception does not propagate to unhandled runtime termination of the vLLM engine.

prevent

Requires mechanisms to protect against denial-of-service conditions triggered by crafted inputs that exhaust or crash serving resources.

References