Skip to main content

vLLM CVE-2026-12491

| EUVDEUVD-2026-37645 MEDIUM
Misinterpretation of Input (CWE-115)
2026-06-17 redhat
4.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
4.8 MEDIUM

Network vector reflects API exposure; AC:H reflects required precision in metadata crafting; PR:N aligns with typical unauthenticated inference endpoints; C:N because no data disclosure occurs.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Red Hat
4.8 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:56 vuln.today
CVE Published
Jun 17, 2026 - 10:07 cve.org
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 9 pypi packages depend on vllm (9 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.11.0.

DescriptionCVE.org

A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.

AnalysisAI

Image input manipulation in vLLM's multimodal preprocessing pipeline allows remote, unauthenticated network attackers to craft images with specific EXIF orientation or PNG tRNS transparency metadata that, when converted to RGB by vLLM, produces semantically altered image content fed to the LLM - affecting the integrity of inference outputs and potentially the reliability of the inference service. Affected deployments include Red Hat AI Inference Server across RHEL AI 3 and Red Hat OpenShift AI (RHOAI) environments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted image with malicious EXIF orientation or PNG tRNS metadata to inference endpoint
Exploit
vLLM preprocessing converts image to RGB, silently discarding or misremapping metadata
Execution
Model receives semantically distorted pixel data differing from true image content
Impact
Model produces incorrect, attacker-influenced inference output

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target system runs vLLM or Red Hat AI Inference Server with multimodal image inference enabled and that the attacker can submit crafted image files to an inference endpoint accepting user-supplied content - this is the specific enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L correctly identifies this as a network-reachable, authentication-free flaw but one with high attack complexity - the attacker must carefully craft metadata to produce a meaningful and exploitable distortion in the model's perception of image content, which is non-trivial without specific knowledge of the preprocessing pipeline. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to a network-exposed vLLM or Red Hat AI Inference Server image inference endpoint submits a specially crafted PNG containing a misleading tRNS chunk - for example, one that renders innocuous when displayed normally but, after transparent-to-RGB conversion without an explicit background, reveals hidden text or imagery that was previously masked by transparency. The model then processes this distorted content and generates outputs based on the attacker-controlled visual payload rather than the intended input. …
Remediation Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-12491 and the associated Bugzilla tracking ticket at https://bugzilla.redhat.com/show_bug.cgi?id=2489786 for vendor-released patch information; no exact fixed version number was confirmed in the available intelligence data, so patch status should be verified directly with Red Hat. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy