Critical

vLLM multimodal heap-address information disclosure

IdentifiersCVE-2026-22778CWE-209

CVE-2026-22778 is an information disclosure vulnerability in vLLM affecting versions 0.8.3 through 0.14.0. When an invalid image is submitted to a multimodal OpenAI-compatible endpoint such as /v1/chat/completions, Pillow/PIL can raise an UnidentifiedImageError during image handling. vLLM returns the raw exception text to the client, and that error string can include the Python representation of a BytesIO object, for example '<_io.BytesIO object at 0x...>', thereby disclosing a heap address from the server process. The issue is described as an ASLR-bypassing primitive and a prerequisite stage in a larger exploitation chain involving a JPEG2000 heap overflow in OpenCV/FFmpeg. The available content identifies sanitize_message as part of the fix path and states the issue was fixed in vLLM 0.14.1.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation discloses server heap memory addresses to an unauthenticated remote client via HTTP error responses. This materially weakens ASLR, reducing entropy sufficiently to make follow-on memory-corruption exploitation substantially more reliable. By itself, the issue is an information leak; however, the provided content explicitly states it can be chained with a JPEG2000 decoder heap overflow in OpenCV/FFmpeg to achieve remote code execution on the vLLM server.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, sanitize all exception messages returned by multimodal API routes so raw str(exc) output is never exposed to clients. As compensating controls, restrict access to multimodal endpoints, require authentication, and disable or avoid serving multimodal models where not needed. Defense in depth should include isolating the vLLM service, limiting exposure of OpenAI-compatible endpoints, and monitoring for malformed image submissions intended to trigger PIL parsing failures.

Remediation

Patch, then assume compromise.

Upgrade vLLM to version 0.14.1 or later. The provided content indicates the fix sanitizes exception messages before returning them to clients, preventing raw Pillow/PIL exception strings and embedded object representations such as BytesIO heap pointers from being exposed. Validate that multimodal error responses no longer contain Python object addresses or unsanitized exception text.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

VllmVllmapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

21 SOURCESView more in app

metasploit pull requestsNews

Jun 21, 2026

Add vLLM multimodal info-leak scanner for CVE-2026-22778 by kenlacroix · Pull Request #21592 · rapid7/metasploit-framework · GitHub

An information disclosure vulnerability in vLLM OpenAI-compatible multimodal servers where a malformed image can trigger Pillow to leak a BytesIO heap address in an error response, described as the ASLR-bypassing first stage of a JPEG2000 heap-overflow RCE chain.

nuclei templates pull requestsNews

Jun 21, 2026

Add CVE-2026-22778 vLLM multimodal heap-address info-leak template by kenlacroix · Pull Request #16441 · projectdiscovery/nuclei-templates · GitHub

An information disclosure vulnerability in vLLM multimodal handling that leaks heap memory addresses via error output or object representations, aiding attackers by exposing memory layout details.

metasploit pull requestsNews

Jun 21, 2026

Add vLLM Anthropic router info-leak scanner for CVE-2026-54236 by kenlacroix · Pull Request #21593 · rapid7/metasploit-framework · GitHub

An earlier vLLM vulnerability whose original fix was incomplete, leading to CVE-2026-54236.

nuclei templates pull requestsNews

Feb 23, 2026

Add CVE-2026-22778: vLLM Remote Code Execution via Malicious Video URL by optimus-fulcria · Pull Request #15500 · projectdiscovery/nuclei-templates · GitHub

A remote code execution (RCE) vulnerability in vLLM triggered via a malicious video URL.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-22778

NVD

nvd.nist.gov/vuln/detail/CVE-2026-22778

MITRE CWE · CWE-209

cwe.mitre.org

Patch

github.com/vllm-project/vllm/pull/31987

Patch

github.com/vllm-project/vllm/pull/32319

Vendor Advisory

github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv

Release Notes

github.com/vllm-project/vllm/releases/tag/v0.14.1