Main Vulnerability Database SB2026040405

SB2026040405 - Improper input validation in vLLM

Published: April 4, 2026

Security Bulletin ID SB2026040405

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper input validation (CVE-ID: CVE-2026-22773)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input handling in the Idefics3 vision model image processor when parsing a specially crafted 1x1 pixel image with ambiguous dimensions. A remote user can send a specially crafted image payload to cause a denial of service.

This issue affects vLLM serving multimodal models that use the Idefics3 architecture and results in an unhandled runtime error that terminates the EngineCore process.

Remediation

Install update from vendor's website.

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr