CVE-2026-12491 Red Hat CVE debrief

Who should care

Organizations utilizing vLLM for large language model inference, especially those processing images with metadata, should be aware of this vulnerability. This includes developers and users of vLLM in various applications, particularly where image content integrity is crucial.

Technical summary

The vulnerability is caused by improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing in vLLM. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L.

Defensive priority

MEDIUM

Recommended defensive actions

• Update vLLM to the latest version that addresses this vulnerability.
• Review and validate image processing workflows to ensure correct handling of metadata.
• Implement additional validation and sanitization of image metadata before processing.
• Monitor for and respond to potential distortions in image content.
• Consider using alternative libraries or workarounds until an official fix is available.
• Engage with the vLLM community for updates and patches related to this issue.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Red Hat security advisories. The CVE record and NVD detail pages provide official information about the vulnerability. Red Hat security advisories offer additional context and potential mitigations.

Official resources