Main Vulnerability Database Vulnerabilities #VU124862

#VU124862 Improper input validation in vLLM - CVE-2026-22773

Published: April 4, 2026

Vulnerability identifier: #VU124862

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22773

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
vLLM

Software vendor:
vLLM

Description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input handling in the Idefics3 vision model image processor when parsing a specially crafted 1x1 pixel image with ambiguous dimensions. A remote user can send a specially crafted image payload to cause a denial of service.

This issue affects vLLM serving multimodal models that use the Idefics3 architecture and results in an unhandled runtime error that terminates the EngineCore process.

Remediation

Install security update from vendor's website.

External links

https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr

#VU124862 Improper input validation in vLLM - CVE-2026-22773

Description

Remediation

External links

Please verify you're human