CVE-2026-44222: Vllm Token Injection DoS Vulnerability

CVE-2026-44222 Overview

CVE-2026-44222 is a token injection vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The flaw affects vLLM versions from 0.6.1 up to but not including 0.20.0. Unauthenticated, text-only prompts containing special token sequences are interpreted as control tokens by the multimodal processing pipeline. When attackers supply image or video placeholder sequences without matching multimodal data, vLLM indexes into empty grids during input-position computation. This triggers an unhandled IndexError that terminates the worker process and degrades service availability. The vulnerability is tracked as [CWE-129: Improper Validation of Array Index] and is fixed in vLLM 0.20.0.

Critical Impact

Remote unauthenticated attackers can crash vLLM workers using crafted text prompts, causing denial of service against LLM inference endpoints.

Affected Products

• vLLM versions 0.6.1 through 0.19.x
• Multimodal inference paths relying on image_grid_thw
• Multimodal inference paths relying on video_grid_thw

Discovery Timeline

• 2026-05-12 - CVE-2026-44222 published to NVD
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-44222

Vulnerability Analysis

The vulnerability resides in vLLM's multimodal processing pipeline. vLLM accepts prompts that can mix text with placeholders referencing image or video data. The serving engine parses these placeholders to compute input positions for the model. The processor scans incoming prompts for special tokens that designate where multimodal content should be embedded. When the parser encounters image or video placeholder tokens, it attempts to look up corresponding grid metadata in image_grid_thw or video_grid_thw structures. These structures hold the temporal-height-width dimensions of supplied multimodal tensors.

An unauthenticated client can submit a text-only prompt that spells out the special placeholder tokens directly. The processor treats these textual sequences as legitimate control tokens. Because no matching image or video data accompanies the request, the grid structures remain empty. The input-position computation then indexes into empty arrays, raising an unhandled IndexError. The exception propagates up and terminates the worker process serving the request.

Root Cause

The root cause is missing input validation between user-supplied text content and trusted control tokens. The multimodal preprocessor fails to verify that placeholder tokens originate from a structured multimodal request rather than free-form user text. It also fails to validate that the referenced grid index exists before dereferencing it. This combination of token confusion and missing bounds checking enables the crash.

Attack Vector

The attack requires only network access to a vulnerable vLLM endpoint. No authentication, no privileges, and no user interaction are required. An attacker sends a single HTTP request containing a text prompt that includes the special image or video placeholder token strings. The vLLM worker handling the request raises an unhandled exception and exits. Repeated requests sustain a denial-of-service condition against the inference service.

The vulnerability impacts availability only. Confidentiality and integrity are not directly affected. However, downstream applications dependent on the LLM service experience cascading failures when workers terminate.

Detection Methods for CVE-2026-44222

Indicators of Compromise

• Worker process crashes in vLLM logs accompanied by IndexError stack traces referencing image_grid_thw or video_grid_thw
• Repeated HTTP requests to /v1/completions or /v1/chat/completions containing image or video placeholder token strings without corresponding multimodal payloads
• Sudden increase in worker restart events on vLLM serving infrastructure
• Elevated 5xx response rates from vLLM-backed inference APIs

Detection Strategies

• Monitor vLLM worker logs for unhandled IndexError exceptions originating from multimodal preprocessing modules
• Inspect inbound prompt payloads for embedded special tokens that should only appear in structured multimodal requests
• Correlate spikes in worker restarts with request payload patterns to identify malicious clients
• Deploy rate limiting and anomaly detection on inference API gateways to flag abusive request patterns

Monitoring Recommendations

• Forward vLLM application logs and worker crash events to a centralized SIEM for correlation
• Track per-client request rates and prompt content distribution to detect targeted abuse
• Alert on any prompt containing multimodal placeholder tokens that lacks an accompanying image or video field
• Monitor inference service latency, error rate, and worker availability as key health indicators

How to Mitigate CVE-2026-44222

Immediate Actions Required

• Upgrade vLLM to version 0.20.0 or later on all inference servers
• Audit existing deployments for vulnerable versions in the 0.6.1 to 0.19.x range
• Place vLLM endpoints behind authenticated API gateways to limit unauthenticated exposure
• Implement input filtering at the gateway layer to reject prompts containing raw multimodal placeholder tokens

Patch Information

The vulnerability is fixed in vLLM 0.20.0. The patch validates that placeholder tokens correspond to supplied multimodal data and adds bounds checking before indexing into grid structures. Refer to the GitHub Security Advisory GHSA-hpv8-x276-m59f for full remediation details. Additional technical context is available in the vLLM GitHub Issue Discussion.

Workarounds

• Sanitize incoming prompts to strip or reject image and video placeholder token strings from text-only requests
• Restrict access to vLLM serving endpoints using network segmentation and authentication
• Deploy a reverse proxy that validates request schemas before forwarding to vLLM workers
• Configure worker supervisors to automatically restart crashed processes while patching is scheduled

# Configuration example
pip install --upgrade "vllm>=0.20.0"