Home > Vulnerability Database > CVE-2026-22773

Mend.io Vulnerability Database

CVE-2026-22773

Good to know:

Date: January 10, 2026

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

Severity Score

6.5

Related Resources (6)

Url: https://github.com/vllm-project/vllm/commit/0ec84221718d920c3f46da879cc354f94b8fb59e

Url: https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr

Url: https://github.com/vllm-project/vllm/pull/29881

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22773

Url: https://github.com/vllm-project/vllm

Url: https://www.mend.io/vulnerability-database/CVE-2026-22773

Severity Score

6.5

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version vllm - 0.12.0;vllm - 0.12.0;vllm - 0.12.0;https://github.com/vllm-project/vllm.git - v0.12.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22773

Good to know:

Date: January 10, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?