al-ice.ai

GitHub Advisory — vLLM DoS via 1×1 image (CVE-2026-22773)

• Category: AI CVEs

AI relevance: if you run vLLM as part of your model-serving stack, a single crafted multimodal request can crash the engine process and take an LLM endpoint (and any agents depending on it) offline.

  • Issue: CVE-2026-22773 lets users crash the vLLM engine when serving multimodal models that use the Idefics3 vision implementation.
  • Trigger: a specially crafted 1×1 pixel image can be misinterpreted due to ambiguous dimensions (HWC vs CHW), per the advisory.
  • Failure mode: the misinterpretation leads to a wrong patch count and then a tensor split mismatch that throws an unhandled RuntimeError.
  • Impact: the unhandled exception terminates the EngineCore process → complete server termination (DoS).
  • Scope: affects models using the Idefics3 architecture; the advisory notes testing with HuggingFaceTB/SmolVLM-Instruct.
  • Fix: upstream points to a fix PR and indicates the issue is patched in newer versions (advisory references PR #29881).

Why it matters

  • Multimodal inputs are attacker-controlled: image parsing pipelines are now part of the model-serving perimeter; treat them like any other untrusted file parser.
  • Availability is an agent dependency: agent stacks often chain multiple calls; crashing one inference endpoint can cascade into failures across workflows.
  • Operational risk: repeated crashes can create alert fatigue, restart storms, or autoscaler churn — and mask other attacks.

What to do

  1. Upgrade vLLM: update to a version that includes the fix (the advisory references PR #29881).
  2. Validate image inputs: enforce minimum height/width and reject tiny or suspicious dimensions before they reach the model runtime.
  3. Harden serving: run model workers with process isolation and automatic restarts, but also apply rate limits and per-client quotas to slow repeated DoS attempts.
  4. Monitor for crash patterns: alert on repeated EngineCore exits correlated with multimodal requests (and capture minimal forensic metadata: image size, content-type, request IDs).

Sources