External risk intelligence

vLLM Multimodal Endpoint Heap Leak Allows Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-22778

vLLM is a serving engine specifically designed to host and provide access to large language models. These services are commonly deployed as public-facing web or API endpoints to allow remote applications and users to interact with the models, making the multimodal endpoints a typical target for internet-reachable requests.

Remote Code Execution

Vllm

0.8.3 to before 0.14.1

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the vLLM engine, used for serving large language models, could allow an attacker to remotely execute code by sending a specially crafted image to a multimodal endpoint. This issue impacts versions prior to 0.14.1 and has been classified as critical due to the potential for significant system compromise.

  • Image errors could allow code execution.
  • Critical vulnerability impacts AI model serving.
  • Confirm if AI services are exposed externally.

Attack Path

How an attacker could exploit the issue

An attacker can send an invalid image to the vLLM multimodal endpoint, which triggers an error in the underlying image processing library. This error, when returned to the client, leaks a heap address, significantly reducing the guesswork needed to bypass security measures like ASLR. This leak can then be used in conjunction with other vulnerabilities to potentially achieve remote code execution.

  • Unauthenticated network access required.
  • Sending a malformed image triggers error.
  • Heap address leak facilitates further attacks.

Live Threat

Current exploitation, exposure, and threat context

When an invalid image is sent to vLLM's multimodal endpoint, it can leak heap memory addresses. This information, when combined with other vulnerabilities, could potentially allow for remote code execution.

  • Model inference service memory exposure.
  • Invalid image sent to multimodal endpoint.
  • Remote code execution may be possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

Infrastructure and platform teams are likely responsible for managing vLLM deployments, while security teams will coordinate the response. The initial step involves identifying all vLLM instances, determining their reachability and criticality, locating the accountable owner, and then prioritizing remediation based on risk.

  • Own: Platform or Infrastructure teams.
  • Verify: Network exposure and criticality.
  • Action: Plan and coordinate updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is vLLM and why is it used?

vLLM is a high-performance software engine built to serve and host large language models (LLMs). It manages the complex process of running AI models so that applications can interact with them via API endpoints. Because it is optimized for high-throughput inference, developers and organizations use it to provide scalable, low-latency access to AI capabilities for users and other software services.

How does CVE-2026-22778 cause an information leak?

This vulnerability involves an information exposure weakness. When an invalid image is sent to a vLLM multimodal endpoint, the underlying image processing library (PIL) generates an error. vLLM mistakenly returns this error message containing sensitive heap memory addresses to the client. These addresses act as a map for an attacker to bypass memory security protections like ASLR, making it much easier to perform further, more destructive attacks.

What triggers this vulnerability in vLLM?

The vulnerability is triggered when a user sends a malformed or invalid image file to a vLLM multimodal endpoint. This does not happen with valid, properly formatted images that the engine can process normally. The bug specifically occurs when the image processing logic fails, and the system insecurely reveals internal memory details instead of handling the error quietly.

Do I need to worry if my vLLM instance is internal?

You should assess your risk based on whether your instance is reachable by untrusted parties. Halo Surface Signal identifies vLLM as a service typically deployed as a public-facing API, making it a natural target for internet-reachable requests. If your instance is strictly internal and has no exposure to the public internet, the practical risk is lower, though updating remains recommended.

How do I fix CVE-2026-22778?

The first step is to identify all vLLM deployments within your infrastructure. Once located, verify their network reachability to determine which are at higher risk. Coordinate with your platform or infrastructure teams to prioritize updating your vLLM software to version 0.14.1 or later, which contains the necessary security fixes to prevent these memory leaks.

References