CVE-2026-12491

Source
https://cve.org/CVERecord?id=CVE-2026-12491
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12491.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12491
Aliases
Downstream
Related
Published
2026-06-17T10:07:28.756Z
Modified
2026-07-09T03:51:38.538494574Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations
Details

A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12491.json",
    "cwe_ids": [
        "CWE-115"
    ],
    "cna_assigner": "redhat"
}
References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type
GIT
Repo
https://github.com/vllm-project/vllm
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.11.0"
        },
        {
            "fixed": "0.24.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12491.json"