CVE-2026-22778 enables remote code execution on vulnerable vLLM deployments by submitting a malicious video link to the API. This story will be updated as more information becomes available.
Breaking News: A new CVE in vLLM, CVE-2026-22778 (GHSA-4r2x-xpjr-7cvv) — a Python package with over 3M downloads per month — allows attackers to send a malicious video URL, resulting in arbitrary command execution on the server.
Overview
A critical vulnerability, CVE-2026-22778, was recently discovered in vLLM, a popular framework for serving Large Language Models (LLMs) with high throughput. This vulnerability allows an attacker to achieve Remote Code Execution (RCE) simply by sending a malicious video link to a vLLM API.
What is vLLM?
vLLM is a high-throughput, memory-efficient engine designed for serving Large Language Models (LLMs). It enables running LLMs on your servers faster, cheaper, and more efficiently than other general-purpose local runners like Ollama, especially under heavy concurrent workloads.
Who is affected
Any organization using vLLM and exposing a video model for user input.
OX customers affected by this issue were informed to update their vLLM version.
What is the potential damage
This RCE can be used for a full server takeover, including arbitrary command execution, data exfiltration, and lateral movement.
Recommended Actions
Immediate Actions:
- Update vLLM to the latest version that includes the fix (0.14.1).
- If you cannot update to the latest version, consider disabling the video model feature in production until patched.
Technical Analysis
LLMs are capable of handling large amounts of data, which can make traditional LLM serving relatively slow. This results in:
- Slower inference
- Limited ability to handle many users at once
- Inefficient GPU resource utilization
To address these issues, vLLM is commonly used, as it improves inference performance and scalability when serving large language models.
The issue we analyze here is based on a chain of two vulnerabilities that ultimately lead to Remote Code Execution (RCE).
First, to bypass the ASLR mitigation, the chain begins with an information leak caused by PIL error messages that expose memory addresses.
Second, the vulnerability that leads to RCE is a heap overflow in the JPEG2000 decoder used by OpenCV/FFmpeg, which can be exploited to achieve code execution.
The Exploitation Chain
When an invalid image is sent to the LLM’s multimodal endpoint, PIL returns an error indicating that it cannot identify the image file. During this process, a memory address is leaked — specifically, a heap address.
As shown in the fixed code, error messages containing sensitive addresses are now sanitized to prevent leaking the heap address.
Source: https://github.com/vllm-project/vllm/pull/31987/changes/54e21708e8aa3f2e9978adc023782110b78ce163
This address is located before libc in memory, which helps reduce the ASLR search space and enables bypassing the ASLR mitigation.
With the leaked address in hand, we can move on to the second vulnerability, which leads to remote code execution.
vLLM uses OpenCV to decode videos. OpenCV bundles FFmpeg 5.1.x, which contains a heap overflow in the JPEG2000 decoder.
Because OpenCV is used for video decoding, constructing a video from JPEG2000 frames can reach this vulnerability and lead to command execution.
We’ll start by explaining the normal behavior of JPEG2000 images to illustrate the overflow bug exploited in this CVE.
JPEG2000 images use separate buffers for the Y, U, and V channels:
- Y (luma) → large buffer
- U (chroma) → smaller buffer
The decoder should ensure that each channel is written to a buffer of the correct size. (Spoiler: it doesn’t.)
The JPEG2000 decoder trusts the cdef (channel definition) box, which allows channels to be remapped without validating buffer sizes.
In other words, Y data can be written into the U buffer, and vice versa.
If Y contains significantly more data than U, writing Y into U will fill the U buffer and overflow into adjacent heap memory.
The attacker controls the image geometry (size) and the channel mapping (via cdef). This allows precise control over how much data overflows and which heap objects are overwritten.
This effectively abuses the “internal headers” of the chunks inside the JPEG: by crafting them with very specific channel values, the attacker can execute a heap-based attack.
By gaining control over the heap, an attacker can overflow adjacent memory, overwrite a function pointer, and redirect execution to a libc function such as system().
To mitigate this issue, vLLM updated its OpenCV version to a fixed release.
Source: https://github.com/vllm-project/vllm/pull/32668/changes/d45c96aa3caff51ac6bba556829c461f5df4449c
Affected Packages
| Package name (in PyPi) | Affected versions | Fixed Version |
| vllm | >= 0.8.3, < 0.14.1 | 0.14.1 |
