CVE-2026-22778
Published: 02 February 2026
Summary
CVE-2026-22778 is a critical-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Vllm Vllm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents heap address disclosure by requiring the system to handle PIL errors without leaking sensitive memory information to clients.
Mandates timely flaw remediation, such as upgrading vLLM to version 0.14.1, which specifically fixes the vulnerability.
Filters sensitive information like heap addresses from outputs returned to clients via the multimodal endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing vLLM multimodal endpoint for heap address disclosure that enables RCE chaining.
NVD Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a…
more
heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Deeper analysisAI
CVE-2026-22778 is a heap address disclosure vulnerability (CWE-532) in vLLM, an open-source inference and serving engine for large language models (LLMs). The issue affects versions from 0.8.3 up to but not including 0.14.1. Specifically, when an invalid image is submitted to vLLM's multimodal endpoint, the Python Imaging Library (PIL) generates an error that vLLM echoes back to the client, inadvertently leaking a heap memory address. This disclosure has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity.
Unauthenticated remote attackers with network access to a vulnerable vLLM instance can exploit this by sending a crafted invalid image to the multimodal endpoint, obtaining a heap address leak that significantly weakens Address Space Layout Randomization (ASLR), reducing brute-force guesses from approximately 4 billion to around 8. This information disclosure can be chained with a separate heap overflow vulnerability in the JPEG2000 decoder implemented via OpenCV or FFmpeg, enabling full remote code execution (RCE) on the server.
The vulnerability is addressed in vLLM version 0.14.1, as detailed in the project's security advisory (GHSA-4r2x-xpjr-7cvv) and associated pull requests (#31987 and #32319). Security practitioners should upgrade to 0.14.1 or later and review exposure of multimodal endpoints, particularly in LLM serving environments. The release notes for v0.14.1 confirm the fix.
Details
- CWE(s)