{
  "threat_severity" : "Critical",
  "public_date" : "2026-02-02T21:09:53Z",
  "bugzilla" : {
    "description" : "vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.",
    "id" : "2436113",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436113"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-209",
  "details" : [ "vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.", "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this vulnerability by sending a specially crafted video URL to vLLM's multimodal endpoint. This action causes vLLM to leak a heap memory address, significantly reducing the effectiveness of Address Space Layout Randomization (ASLR). This information disclosure can then be chained with a heap overflow vulnerability to achieve remote code execution." ],
  "statement" : "This vulnerability is rated Critical rather than Important because it allows unauthenticated remote code execution without requiring user interaction, ultimately leading to full compromise of the affected system. An attacker can provide a malicious video URL to a vulnerable vLLM inference endpoint, which causes the service to automatically retrieve and process attacker-controlled media content. During decoding, a heap overflow is triggered in the underlying video processing stack, enabling corruption of heap memory and potential overwriting of control structures to execute arbitrary commands on the host. In addition, an information disclosure condition can leak memory addresses, significantly weakening ASLR protections and making exploitation more reliable when combined with the heap overflow. Successful exploitation compromises the confidentiality, integrity, and availability of the system and can impact deployments such as Red Hat AI Inference Server, Red Hat Enterprise Linux AI, and Red Hat OpenShift AI, thereby meeting Red Hat’s criteria for Critical severity rather than Important impact.\nThe vLLM vulnerability depends on CVE-2025-9951, as processing attacker-controlled media can trigger the JPEG2000 decoder heap overflow, which can then be exploited within the vLLM video handling pipeline to cause memory corruption and potentially achieve remote code execution.",
  "affected_release" : [ {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-02-27T00:00:00Z",
    "advisory" : "RHSA-2026:3461",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/vllm-cuda-rhel9:1772160593"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-02-27T00:00:00Z",
    "advisory" : "RHSA-2026:3462",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/vllm-rocm-rhel9:1772160625"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.25",
    "release_date" : "2026-03-04T00:00:00Z",
    "advisory" : "RHSA-2026:3782",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9",
    "package" : "rhoai/odh-vllm-cpu-rhel9:1772093436"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.25",
    "release_date" : "2026-03-04T00:00:00Z",
    "advisory" : "RHSA-2026:3782",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9",
    "package" : "rhoai/odh-vllm-cuda-rhel9:1772093276"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.25",
    "release_date" : "2026-03-04T00:00:00Z",
    "advisory" : "RHSA-2026:3782",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9",
    "package" : "rhoai/odh-vllm-gaudi-rhel9:1772093278"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.25",
    "release_date" : "2026-03-04T00:00:00Z",
    "advisory" : "RHSA-2026:3782",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9",
    "package" : "rhoai/odh-vllm-rocm-rhel9:1772093237"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-vllm-cpu-rhel9:1778264363"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-03-04T00:00:00Z",
    "advisory" : "RHSA-2026:3713",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-vllm-gaudi-rhel9:1770956034"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-spyre-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Not affected",
    "package_name" : "rhaiis/vllm-tpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Out of support scope",
    "package_name" : "rhelai3/bootc-aws-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Out of support scope",
    "package_name" : "rhelai3/bootc-azure-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Out of support scope",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Out of support scope",
    "package_name" : "rhelai3/bootc-gcp-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-agent-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-router-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-storage-initializer-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-22778\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22778\nhttps://github.com/vllm-project/vllm/pull/31987\nhttps://github.com/vllm-project/vllm/pull/32319\nhttps://github.com/vllm-project/vllm/releases/tag/v0.14.1\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv" ],
  "name" : "CVE-2026-22778",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}