CVE-2026-22778

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

An unauthenticated external attacker targets an organization's public-facing LLM API powered by vLLM with vision capabilities. Stage 1 — ASLR Defeat: The attacker sends a crafted invalid image (truncated or structurally malformed JPEG) to the multimodal endpoint. PIL raises an unhandled exception whose message contains a heap memory address; vLLM forwards this verbatim in the HTTP 500 error response. The attacker parses the JSON error body, extracts the address, and computes the heap base — reducing ASLR entropy from ~32 bits to ~3 bits. Stage 2 — RCE: The attacker crafts a malicious JPEG2000 file engineered to trigger the heap overflow in OpenCV/FFmpeg's libopenjp2 decoder. With heap layout now known, memory corruption offsets are reliable. The attacker achieves remote code execution on the inference server. Stage 3 — Post-Exploitation: A reverse shell or C2 beacon is installed. The attacker exfiltrates model weights, API keys stored in environment variables, system prompts, and customer inference logs. From the inference server, the attacker pivots to internal storage, databases, or adjacent AI infrastructure — all without ever authenticating to the API.