CVE-2026-22773
Published: 10 January 2026
Summary
CVE-2026-22773 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Vllm Vllm. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of public-facing vLLM inference service via crafted multimodal input triggers unhandled crash (CWE-770), directly enabling application-layer DoS.
NVD Description
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted…
more
1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
Deeper analysisAI
CVE-2026-22773 is a denial-of-service vulnerability in vLLM, an inference and serving engine for large language models (LLMs). It affects versions from 0.6.4 to before 0.12.0, specifically when serving multimodal models that use the Idefics3 vision model implementation. The issue arises from a tensor dimension mismatch triggered by a specially crafted 1x1 pixel image, causing an unhandled runtime error that leads to complete server termination.
An attacker with network access and low privileges can exploit this remotely with low attack complexity and no user interaction. Exploitation results in high-impact availability disruption by crashing the vLLM engine, as reflected in its CVSS v3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The root cause is tracked as CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability has been addressed in vLLM version 0.12.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr.
Details
- CWE(s)