CVE-2023-52356: vLLM heap overflow DoS

CISO Take

A heap-based buffer overflow in libtiff's TIFFReadRGBATileExt() allows a remote, unauthenticated attacker to crash any service that processes crafted TIFF files—including Red Hat AI Infrastructure Service (RHAIIS) vLLM inference servers. With a CVSS of 7.5 and a vector of AV:N/AC:L/PR:N/UI:N, exploitation requires zero privileges and zero user interaction: an attacker submits a malformed TIFF to an inference endpoint and crashes the worker process. While not yet in CISA KEV and no public exploit exists, the 130 downstream dependents and 53 prior CVEs in libtiff indicate a chronically vulnerable surface that warrants immediate action in AI-enabled Red Hat environments. Remediate by applying RHSA-2024:5079 and all subsequent Red Hat errata through RHSA-2026:25096, and enforce TIFF input validation at the API gateway layer as a defense-in-depth measure.

Sources: NVD ATLAS Red Hat Security Advisories

What is the risk?

Medium-High for vLLM deployments and multimodal AI pipelines on Red Hat infrastructure. Exploitability is high—no authentication, no interaction, fully network-accessible—but the impact is confined to availability (the CVSS vector shows C:N/I:N/A:H). The risk is significant for production inference serving environments where uptime is business-critical. Unpatched RHAIIS deployments accepting image inputs from external or semi-trusted sources are the primary exposure surface.

How does the attack unfold?

Target Identification

Adversary identifies a vLLM inference endpoint (RHAIIS deployment) that accepts multimodal image inputs, confirming it processes TIFF files.

AML.T0006

Payload Crafting

Attacker engineers a malformed TIFF file that exploits incorrect tile geometry handling in libtiff's TIFFReadRGBATileExt(), triggering an out-of-bounds heap write.

Exploitation

Attacker submits the crafted TIFF as an inference request; the unpatched libtiff processes the tile and crashes the vLLM worker process with SIGSEGV.

AML.T0049

Denial of Service

The vLLM inference process terminates, making the LLM service unavailable; repeated submissions sustain the outage across auto-restart cycles.

AML.T0029

Target Identification

Adversary identifies a vLLM inference endpoint (RHAIIS deployment) that accepts multimodal image inputs, confirming it processes TIFF files.

AML.T0006

Payload Crafting

Attacker engineers a malformed TIFF file that exploits incorrect tile geometry handling in libtiff's TIFFReadRGBATileExt(), triggering an out-of-bounds heap write.

Exploitation

Attacker submits the crafted TIFF as an inference request; the unpatched libtiff processes the tile and crashes the vLLM worker process with SIGSEGV.

AML.T0049

Denial of Service

The vLLM inference process terminates, making the LLM service unavailable; repeated submissions sustain the outage across auto-restart cycles.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
compat-libtiff3	—	—	No patch
discovery/discovery-ui-rhel9	—	—	No patch
libtiff	—	—	No patch
rhaiis/model-opt-cuda-rhel9	—	—	No patch

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Apply Red Hat Security Advisories immediately: RHSA-2024:5079 is the primary patch; subsequent errata (RHSA-2025:20801, RHSA-2025:21994, RHSA-2025:23078–23080, RHSA-2026:16174, RHSA-2026:25096, RHSA-2026:3461–3462) address affected package variants.
Audit all RHAIIS vLLM deployments for libtiff version using rpm -q libtiff compat-libtiff3.
Implement input validation and strict file-type allowlisting at the API gateway — reject TIFF files or validate them before forwarding to inference workers.
Rate-limit inference API endpoints to reduce the impact of repeated crash-and-restart attacks.
Monitor vLLM worker processes for unexpected SIGSEGV crashes as a detection signal; alert on abnormal process restart rates in inference infrastructure.

How is it classified?

DoS Inference AML.T0029 - Denial of AI Service AML.T0034.001 - Resource-Intensive Queries AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System — Technical Robustness

ISO 42001

A.9.3 - AI System Availability and Resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms for AI Risk Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2023-52356?

A heap-based buffer overflow in libtiff's TIFFReadRGBATileExt() allows a remote, unauthenticated attacker to crash any service that processes crafted TIFF files—including Red Hat AI Infrastructure Service (RHAIIS) vLLM inference servers. With a CVSS of 7.5 and a vector of AV:N/AC:L/PR:N/UI:N, exploitation requires zero privileges and zero user interaction: an attacker submits a malformed TIFF to an inference endpoint and crashes the worker process. While not yet in CISA KEV and no public exploit exists, the 130 downstream dependents and 53 prior CVEs in libtiff indicate a chronically vulnerable surface that warrants immediate action in AI-enabled Red Hat environments. Remediate by applying RHSA-2024:5079 and all subsequent Red Hat errata through RHSA-2026:25096, and enforce TIFF input validation at the API gateway layer as a defense-in-depth measure.

Is CVE-2023-52356 actively exploited?

No confirmed active exploitation of CVE-2023-52356 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-52356?

1. Apply Red Hat Security Advisories immediately: RHSA-2024:5079 is the primary patch; subsequent errata (RHSA-2025:20801, RHSA-2025:21994, RHSA-2025:23078–23080, RHSA-2026:16174, RHSA-2026:25096, RHSA-2026:3461–3462) address affected package variants. 2. Audit all RHAIIS vLLM deployments for libtiff version using `rpm -q libtiff compat-libtiff3`. 3. Implement input validation and strict file-type allowlisting at the API gateway — reject TIFF files or validate them before forwarding to inference workers. 4. Rate-limit inference API endpoints to reduce the impact of repeated crash-and-restart attacks. 5. Monitor vLLM worker processes for unexpected SIGSEGV crashes as a detection signal; alert on abnormal process restart rates in inference infrastructure.

What systems are affected by CVE-2023-52356?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving (vLLM), Multimodal and vision-language model pipelines, Red Hat AI Infrastructure Service (RHAIIS) deployments, Document intelligence and image ingestion pipelines.

What is the CVSS score for CVE-2023-52356?

CVE-2023-52356 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

LLM inference serving (vLLM)Multimodal and vision-language model pipelinesRed Hat AI Infrastructure Service (RHAIIS) deploymentsDocument intelligence and image ingestion pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034.001 Resource-Intensive Queries

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

Exploitation Scenario

An attacker targeting an enterprise vLLM multimodal deployment crafts a specially malformed TIFF file that triggers the heap-based buffer overflow in libtiff's tile-processing code. They submit this file as an image attachment in a multimodal inference API request — no credentials or prior access required. The vLLM worker process calls TIFFReadRGBATileExt() on the malformed tile, overflows the heap buffer, and crashes with SIGSEGV. In environments with auto-restart configured, the attacker sends a continuous stream of crafted requests to sustain the outage, effectively keeping the inference service offline. This could disrupt AI-dependent workflows such as automated document processing, medical imaging analysis, or any pipeline where libtiff-linked vLLM handles external image input.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Pre-design: Use a language or compiler that performs automatic bounds checking.
[Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.