Cyber Resilience

CVE-2026-22778

CriticalUpdated

Published: 02 February 2026

Published
02 February 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0328 86.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22778 is a critical-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Vllm Vllm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-22778 is a heap address disclosure vulnerability (CWE-532) in vLLM, an open-source inference and serving engine for large language models (LLMs). The issue affects versions from 0.8.3 up to but not including 0.14.1. Specifically, when an invalid image is submitted to vLLM's multimodal endpoint, the Python Imaging Library (PIL) generates an error that vLLM echoes back to the client, inadvertently leaking a heap memory address. This disclosure has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity.

Unauthenticated remote attackers with network access to a vulnerable vLLM instance can exploit this by sending a crafted invalid image to the multimodal endpoint, obtaining a heap address leak that significantly weakens Address Space Layout Randomization (ASLR), reducing brute-force guesses from approximately 4 billion to around 8. This information disclosure can be chained with a separate heap overflow vulnerability in the JPEG2000 decoder implemented via OpenCV or FFmpeg, enabling full remote code execution (RCE) on the server.

The vulnerability is addressed in vLLM version 0.14.1, as detailed in the project's security advisory (GHSA-4r2x-xpjr-7cvv) and associated pull requests (#31987 and #32319). Security practitioners should upgrade to 0.14.1 or later and review exposure of multimodal endpoints, particularly in LLM serving environments. The release notes for v0.14.1 confirm the fix.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a…

more

heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, opencv, vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing vLLM multimodal endpoint for heap address disclosure that enables RCE chaining.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22773Same product: Vllm Vllm
CVE-2026-25960Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2026-24779Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2024-11041Same product: Vllm Vllm
CVE-2025-29783Same product: Vllm Vllm

Affected Assets

vllm
vllm
0.8.3 — 0.14.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents heap address disclosure by requiring the system to handle PIL errors without leaking sensitive memory information to clients.

prevent

Mandates timely flaw remediation, such as upgrading vLLM to version 0.14.1, which specifically fixes the vulnerability.

prevent

Filters sensitive information like heap addresses from outputs returned to clients via the multimodal endpoint.

References