Critical vLLM Multimodal Endpoint Flaw Enables Pre-Auth Remote Code Execution via Malicious Video
CVE-2026-22778 is a critical vulnerability in vLLM (an LLM inference/serving engine) that can enable remote code execution (RCE) when a server processes attacker-supplied multimodal content (e.g., a crafted video/image payload). The issue stems from vLLM returning a PIL error to the client when an invalid image is submitted to a multimodal endpoint, which leaks a heap address and dramatically weakens ASLR (reported as reducing brute-force from billions of guesses to ~8). This information disclosure can then be chained with a heap overflow in the JPEG2000 decoder within bundled OpenCV/FFmpeg components to hijack execution flow and run arbitrary commands on the host.
Operational risk is elevated because many default vLLM deployments (including common pip/Docker installs) may be exposed without authentication, and reporting indicates exploitation may still be possible pre-auth even when API keys are enabled (via an “invocations” route). The vulnerability affects versions 0.8.3 through < 0.14.1 and is fixed in vLLM 0.14.1; remediation should prioritize upgrading to >= 0.14.1 and reviewing exposure of multimodal endpoints, especially any internet-accessible instances.
Timeline
Feb 5, 2026
Public reporting details pre-auth RCE risk in video-model deployments
Public coverage described CVE-2026-22778 as a critical CVSS 9.8 flaw that could allow pre-auth remote code execution in some default or invocations-route vLLM deployments serving video models. The reporting clarified that text-only model serving was not affected and urged administrators to upgrade to vLLM 0.14.1 or later.
Feb 2, 2026
vLLM 0.14.1 released to fix CVE-2026-22778
The issue was fixed in vLLM version 0.14.1, which remediates the heap address disclosure affecting multimodal and video-serving deployments. References cited for the fix include the v0.14.1 release tag, related GitHub pull requests, and a GitHub Security Advisory.
Feb 2, 2026
vLLM vulnerability enables heap address leak via invalid image errors
A vulnerability later assigned CVE-2026-22778 was identified in vLLM versions 0.8.3 through before 0.14.1, where sending an invalid image to a multimodal endpoint causes a PIL error to leak a heap address. The leak significantly reduces ASLR entropy and can be chained with a JPEG2000 decoder heap overflow in bundled OpenCV/FFmpeg components for possible remote code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
1 months ago
LMDeploy SSRF Was Exploited Within Hours as LiteLLM Proxy Disclosed RCE Chain
Attackers began exploiting **CVE-2026-33626** in LMDeploy less than 13 hours after public disclosure, using a server-side request forgery flaw in vision-language request handling to make inference servers fetch attacker-controlled and internal URLs. Sysdig said the bug affects LMDeploy `0.12.0` and earlier with vision-language support, where `image_url` input is not properly restricted, and observed an eight-minute attack against its honeypot that probed AWS instance metadata, localhost services, an unauthenticated administrative endpoint, and an out-of-band callback domain. The activity included scans of loopback ports associated with **Redis**, **MySQL**, and HTTP services, underscoring the risk of exposing AI inference infrastructure to internal network discovery and cloud credential theft. The disclosures also highlighted broader weaknesses in LLM-serving platforms. LiteLLM published three advisories for LiteLLM Proxy that researchers said can be chained to achieve **remote code execution**, including an unauthenticated SQL injection (`GHSA-r75f-5x8p-qvmc`), a server-side template injection flaw, and an authenticated command-execution issue in MCP stdio test endpoints. The affected LiteLLM range is `1.81.16` through `1.83.6`, with fixes available in `1.83.7-stable` and later, while LMDeploy users were urged to upgrade to `v0.12.3+`, enforce **IMDSv2**, restrict egress, rotate IAM credentials, and monitor inference hosts for requests to metadata, loopback, and private-network addresses.
1 weeks ago
Two High-Severity Buffer Overflow Flaws Disclosed in LinkingVision rapidvms
Two high-severity vulnerabilities, **CVE-2026-33848** and **CVE-2026-33849**, were disclosed in **LinkingVision rapidvms**, both classified as **CWE-119** improper restriction of operations within the bounds of a memory buffer. The flaws affect **rapidvms versions before `PR#96`** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating network-reachable exploitation with low attack complexity, no required privileges, user interaction, and potential for high impact across confidentiality, integrity, and availability. Both CVE records point to **GitHub pull request `#96`** in the `linkingvision/rapidvms` repository as the referenced fix or related remediation. Organizations running vulnerable rapidvms builds should review the changes in that pull request, identify any exposed instances, and prioritize upgrading or patching affected systems because successful exploitation could lead to severe compromise of the video management platform.
1 months ago