CVE-2026-22778

Name of the Vulnerable Software and Affected Versions vLLM versions 0.8.3 through 0.14.0

Description vLLM is an inference and serving engine for large language models. A chain of issues allows for remote code execution when the service is configured to serve a video model. First, sending an invalid image to the multimodal endpoint causes PIL to throw an error that vLLM returns to the client, leaking a heap address. This leak significantly reduces the effectiveness of Address Space Layout Randomization (ASLR), reducing potential guesses from 4 billion to approximately 8.

This information leak can be chained with a heap buffer overflow in the JPEG2000 decoder within the bundled FFmpeg 5.1.x used by OpenCV. The overflow occurs because the decoder honors a cdef box that remaps color channels, allowing a large Y (luma) plane to be written into a smaller U (chroma) buffer. This can be exploited by sending a malicious video URL to the following endpoints:

By overwriting a function pointer (such as the free() pointer in an AVBuffer structure) with system(), an attacker can execute arbitrary commands on the server. The attack is feasible even with an API key enabled via the invocations route, as the payload can execute pre-authentication.

Recommendations Update vLLM to version 0.14.1. As a temporary workaround, disable the use of video models or restrict access to the '/v1/chat/completions' and '/v1/invocations' endpoints if they are used to process video url content.