{"data":{"id":"6a50c90c-0e5c-4606-88f5-d835579c6625","title":"CVE-2026-22778: vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid i","summary":"vLLM, a system for running large language models, has a vulnerability in versions 0.8.3 through 0.14.0 where sending an invalid image to its multimodal endpoint causes it to leak a heap address (a memory location used for storing data). This information leak significantly weakens ASLR (address space layout randomization, a security feature that randomizes where programs load in memory), and attackers could potentially chain this leak with other exploits to gain remote code execution (the ability to run commands on the server).","solution":"This vulnerability is fixed in version 0.14.1. Update vLLM to version 0.14.1 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-22778","publishedAt":"2026-02-03T04:16:06.700Z","cveId":"CVE-2026-22778","cweIds":["CWE-532"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["vLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00084,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-215"],"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}