Main Vulnerability Database Vulnerabilities #VU124862

Improper input validation in vLLM - CVE-2026-22773

Published: April 4, 2026

Vulnerability identifier: #VU124862

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22773

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: vLLM

Affected software:
vLLM

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input handling in the Idefics3 vision model image processor when parsing a specially crafted 1x1 pixel image with ambiguous dimensions. A remote user can send a specially crafted image payload to cause a denial of service.

This issue affects vLLM serving multimodal models that use the Idefics3 architecture and results in an unhandled runtime error that terminates the EngineCore process.

How to mitigate CVE-2026-22773

Install security update from vendor's website.

Sources

https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr

Improper input validation in vLLM - CVE-2026-22773

Detailed vulnerability description

How to mitigate CVE-2026-22773

Sources

Please verify you're human