CVE-2026-22778
Published: 02 February 2026
Summary
CVE-2026-22778 is a critical-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Vllm Vllm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-22778 is a heap address disclosure vulnerability (CWE-532) in vLLM, an open-source inference and serving engine for large language models (LLMs). The issue affects versions from 0.8.3 up to but not including 0.14.1. Specifically, when an invalid image is submitted to vLLM's multimodal endpoint, the Python Imaging Library (PIL) generates an error that vLLM echoes back to the client, inadvertently leaking a heap memory address. This disclosure has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity.
Unauthenticated remote attackers with network access to a vulnerable vLLM instance can exploit this by sending a crafted invalid image to the multimodal endpoint, obtaining a heap address leak that significantly weakens Address Space Layout Randomization (ASLR), reducing brute-force guesses from approximately 4 billion to around 8. This information disclosure can be chained with a separate heap overflow vulnerability in the JPEG2000 decoder implemented via OpenCV or FFmpeg, enabling full remote code execution (RCE) on the server.
The vulnerability is addressed in vLLM version 0.14.1, as detailed in the project's security advisory (GHSA-4r2x-xpjr-7cvv) and associated pull requests (#31987 and #32319). Security practitioners should upgrade to 0.14.1 or later and review exposure of multimodal endpoints, particularly in LLM serving environments. The release notes for v0.14.1 confirm the fix.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5277
Vulnerability details
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a…
more
heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llms, opencv, vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing vLLM multimodal endpoint for heap address disclosure that enables RCE chaining.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents heap address disclosure by requiring the system to handle PIL errors without leaking sensitive memory information to clients.
Mandates timely flaw remediation, such as upgrading vLLM to version 0.14.1, which specifically fixes the vulnerability.
Filters sensitive information like heap addresses from outputs returned to clients via the multimodal endpoint.