CVE-2026-22773 – This vulnerability allows remote attackers to c... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to crash vLLM servers running multimodal models with Idefics3 vision implementation by sending a specially crafted 1x1 pixel image. The tensor dimension mismatch causes an unhandled runtime error that terminates the entire server. Organizations using vLLM versions 0.6.4 through 0.11.x for serving multimodal models are affected.

💻 Affected Systems

Products:

vLLM

Versions: 0.6.4 to 0.11.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using multimodal models with Idefics3 vision model implementation. Pure text-only LLM deployments are not vulnerable.

📦 What is this software?

Vllm by Vllm

View all CVEs affecting Vllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all users of the vLLM service, requiring manual server restart and potentially disrupting critical AI inference workloads.

🟠

Likely Case

Service disruption and downtime for vLLM-powered applications, requiring administrator intervention to restart crashed servers.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place, though service interruptions may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted 1x1 pixel image to the vulnerable endpoint. No authentication is required if the service is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.0

Vendor Advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr

Restart Required: Yes

Instructions:

1. Upgrade vLLM to version 0.12.0 or later using pip: pip install vllm>=0.12.0
2. Restart all vLLM servers and services
3. Verify the upgrade was successful

🔧 Temporary Workarounds

Input Validation Filter

all

Implement pre-processing to reject or resize 1x1 pixel images before they reach the vLLM engine

Process Monitoring and Auto-restart

linux

Configure monitoring to automatically restart vLLM processes if they crash

# Example using systemd (Linux)
[Service]
Restart=always
RestartSec=5

🧯 If You Can't Patch

Implement network-level filtering to block or rate-limit image uploads to vLLM endpoints
Deploy vLLM behind a reverse proxy with request size limits and input validation

🔍 How to Verify

Check if Vulnerable:

Check vLLM version: python -c "import vllm; print(vllm.__version__)" and verify if between 0.6.4 and 0.11.x

Check Version:

python -c "import vllm; print(vllm.__version__)"

Verify Fix Applied:

Confirm version is 0.12.0 or higher and test with a 1x1 pixel image to ensure server doesn't crash

📡 Detection & Monitoring

Log Indicators:

RuntimeError related to tensor dimension mismatch
Unexpected vLLM process termination
Error messages containing 'Idefics3' or 'vision model'

Network Indicators:

Multiple requests with small image files (especially 1x1 pixel)
Sudden drop in service availability

SIEM Query:

source="vllm.log" AND ("RuntimeError" OR "tensor dimension" OR "process terminated")

📊 Metadata

CVE ID: CVE-2026-22773

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: January 10, 2026

Last Updated: January 27, 2026

🔗 References

https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22773, you might also want to check these: