VDB

CISA-2026-22773

CISA-2026-22773 PUBLISHED CVSS 6.5 MEDIUM

Reported by GitHub_M · Published January 10, 2026

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
vllm-projectvllm>= 0.6.4, < 0.12.0
vllm-projectvllm>= 0.6.4, < 0.12.0, >= 0.6.4, < 0.12.0

Timeline

  • Jan 10, 2026 CVE Published
  • Jan 12, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›