Denial of service and potential arbitrary code execution via malformed multimodal embedding requests
Summary
vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause. A flaw was found in vLLM. This vulnerability allows a remote attacker to trigger crashes or resource exhaustion, leading to a denial of service (DoS). By submitting specially crafted embedding requests with malformed tensor indices, when the `prompt-embeds` feature is enabled, an attacker could also potentially achieve out-of-bounds memory corruption, which may enable arbitrary code execution. Red Hat rates this issue as having Important impact for affected Red Hat AI Inference Server images shipping vLLM 0.10.2 through 0.13.x when prompt-embeds multimodal embedding support is enabled. Versions outside this range, Red Hat OpenShift AI KServe sidecars, and Red Hat Enterprise Linux AI 3.4 bootc images (vLLM 0.17+/0.18+) are not affected. Red Hat severity: Important — CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-787. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Disable prompt-embeds if not required. Restrict who can submit multimodal embedding requests. Apply authentication and rate limits on inference APIs. Upgrade to a fixed vLLM build when available from Red Hat.
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.