What is CVE-2026-22773?

CVE-2026-22773 is a medium-severity vulnerability in Vllm-project Vllm, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 6.5/10. Published 2026-01-10.

How severe is CVE-2026-22773?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Resource exhaustion in Vllm-project Vllm

CVE-2026-22773

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a spe…

EPSS: 0.000 (7.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Affected products

Vllm-project Vllm — versions >= 0.6.4, < 0.12.0

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-22773?: CVE-2026-22773 is a medium-severity vulnerability in Vllm-project Vllm, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 6.5/10. Published 2026-01-10.
How severe is CVE-2026-22773?: Medium severity. CVSS v3 base score is 6.5 out of 10.