CVE-2026-12491: vLLM image metadata mishandling

CISO Take

CVE-2026-12491 is a medium-severity input integrity flaw in vLLM where improper handling of EXIF orientation and PNG transparency (tRNS) during RGB conversion silently distorts images before they reach the model, allowing an attacker to craft inputs that appear benign to human reviewers but present meaningfully different content to the AI. With 130 downstream dependents and a package history of 56 CVEs, vLLM carries real supply-chain weight in enterprise AI stacks — though high attack complexity (AC:H) and absence from CISA KEV keep this below breaking-alert threshold for most teams. The primary risk surface is multimodal deployments using vLLM for content moderation, document analysis, or visual decision-support, where silent misclassification may propagate downstream without triggering any error. Until a patched build is available, preprocess images explicitly using Pillow's exif_transpose() and composite PNG alpha onto a solid background before submission to vLLM; Red Hat RHAIIS and RHOAI users should subscribe to errata for the affected container images.

Sources: NVD ATLAS Red Hat Security Advisory

What is the risk?

Medium overall risk. CVSS 4.8 with AC:H means an attacker must understand the preprocessing pipeline and craft precisely structured image metadata — not script-kiddie territory. No public exploits exist, no KEV listing, and no EPSS data is available. The individual impact dimensions are low (I:L, A:L), but the compounding risk is higher in automated pipelines: silent input distortion propagates incorrect inferences downstream without triggering observable errors, making detection harder than a crash or obvious output anomaly. Enterprise exposure is concentrated in Red Hat AI Image Suite (RHAIIS) and OpenShift AI (RHOAI) container-based deployments across CPU, CUDA, ROCm, Neuron, Gaudi, TPU, and Spyre variants.

How does the attack unfold?

Target Identification

Adversary identifies a vLLM multimodal inference endpoint accepting image inputs via API documentation, network scanning, or public service enumeration.

AML.T0006

Adversarial Image Crafting

Attacker embeds adversarial EXIF orientation tags (e.g., rotate 90°/180°) or PNG tRNS transparency data encoding hidden content, producing an image that appears benign to human reviewers and standard tools.

AML.T0043.003

Inference Exploitation

Crafted image is submitted to the vLLM API; the preprocessing pipeline silently applies the orientation transformation or discards transparency data, presenting a distorted image to the model without raising any error.

AML.T0049

Output Integrity Compromise

Model processes the silently distorted image and produces incorrect classifications, bypassed content moderation decisions, or corrupted data extractions that propagate downstream without triggering alerts.

AML.T0031

Target Identification

Adversary identifies a vLLM multimodal inference endpoint accepting image inputs via API documentation, network scanning, or public service enumeration.

AML.T0006

Adversarial Image Crafting

Attacker embeds adversarial EXIF orientation tags (e.g., rotate 90°/180°) or PNG tRNS transparency data encoding hidden content, producing an image that appears benign to human reviewers and standard tools.

AML.T0043.003

Inference Exploitation

Crafted image is submitted to the vLLM API; the preprocessing pipeline silently applies the orientation transformation or discards transparency data, presenting a distorted image to the model without raising any error.

AML.T0049

Output Integrity Compromise

Model processes the silently distorted image and produces incorrect classifications, bypassed content moderation decisions, or corrupted data extractions that propagate downstream without triggering alerts.

AML.T0031

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 3d ago 37% patched ~30d to patch Full package profile →
rhelai3/bootc-aws-cuda-rhel9	—	—	No patch
rhelai3/bootc-azure-cuda-rhel9	—	—	No patch
rhelai3/bootc-azure-rocm-rhel9	—	—	No patch
rhelai3/bootc-cuda-rhel9	—	—	No patch
rhelai3/bootc-gaudi-rhel9	—	—	No patch
rhelai3/bootc-gcp-cuda-rhel9	—	—	No patch
rhelai3/bootc-rocm-rhel9	—	—	No patch
rhoai/odh-kserve-agent-rhel9	—	—	No patch
rhoai/odh-kserve-controller-rhel9	—	—	No patch
rhoai/odh-kserve-router-rhel9	—	—	No patch
rhoai/odh-kserve-storage-initializer-rhel9	—	—	No patch
rhoai/odh-llm-d-kv-cache-rhel9	—	—	No patch

How severe is it?

CVSS 3.1

4.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C None

I Low

A Low

What should I do?

5 steps

Monitor the vLLM upstream repository and Red Hat Security Advisory (access.redhat.com/security/cve/CVE-2026-12491) for patched package versions — no fixed version is listed yet.
Interim workaround: preprocess all images before vLLM ingestion using Pillow — apply ImageOps.exif_transpose() to normalize EXIF orientation, and composite PNG images with transparency onto a white (or contextually appropriate) background via Image.alpha_composite before converting to RGB.
For Red Hat deployments, subscribe to errata for rhaiis/vllm-* and rhoai/odh-vllm-* container images and update when patched builds are released.
Audit multimodal pipelines where content moderation or safety classification relies on correct image orientation or transparent pixel rendering, as these are highest-risk decision points.
Detection: log image metadata (EXIF orientation tag, PIL mode before and after conversion) at ingestion boundaries to identify anomalous or crafted inputs.

How is it classified?

Adversarial Examples DoS Inference Model AML.T0015 - Evade AI Model AML.T0043 - Craft Adversarial Data AML.T0043.003 - Manual Modification AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - AI system testing

NIST AI RMF

MEASURE 2.5 - AI risk and benefits are measured

OWASP LLM Top 10

LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-12491?

CVE-2026-12491 is a medium-severity input integrity flaw in vLLM where improper handling of EXIF orientation and PNG transparency (tRNS) during RGB conversion silently distorts images before they reach the model, allowing an attacker to craft inputs that appear benign to human reviewers but present meaningfully different content to the AI. With 130 downstream dependents and a package history of 56 CVEs, vLLM carries real supply-chain weight in enterprise AI stacks — though high attack complexity (AC:H) and absence from CISA KEV keep this below breaking-alert threshold for most teams. The primary risk surface is multimodal deployments using vLLM for content moderation, document analysis, or visual decision-support, where silent misclassification may propagate downstream without triggering any error. Until a patched build is available, preprocess images explicitly using Pillow's exif_transpose() and composite PNG alpha onto a solid background before submission to vLLM; Red Hat RHAIIS and RHOAI users should subscribe to errata for the affected container images.

Is CVE-2026-12491 actively exploited?

No confirmed active exploitation of CVE-2026-12491 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12491?

1. Monitor the vLLM upstream repository and Red Hat Security Advisory (access.redhat.com/security/cve/CVE-2026-12491) for patched package versions — no fixed version is listed yet. 2. Interim workaround: preprocess all images before vLLM ingestion using Pillow — apply ImageOps.exif_transpose() to normalize EXIF orientation, and composite PNG images with transparency onto a white (or contextually appropriate) background via Image.alpha_composite before converting to RGB. 3. For Red Hat deployments, subscribe to errata for rhaiis/vllm-* and rhoai/odh-vllm-* container images and update when patched builds are released. 4. Audit multimodal pipelines where content moderation or safety classification relies on correct image orientation or transparent pixel rendering, as these are highest-risk decision points. 5. Detection: log image metadata (EXIF orientation tag, PIL mode before and after conversion) at ingestion boundaries to identify anomalous or crafted inputs.

What systems are affected by CVE-2026-12491?

This vulnerability affects the following AI/ML architecture patterns: Multimodal LLM inference pipelines, Visual question answering deployments, AI-powered content moderation systems, Document analysis and OCR pipelines, Containerized model serving (Red Hat RHAIIS/RHOAI).

What is the CVSS score for CVE-2026-12491?

CVE-2026-12491 has a CVSS v3.1 base score of 4.8 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

Multimodal LLM inference pipelinesVisual question answering deploymentsAI-powered content moderation systemsDocument analysis and OCR pipelinesContainerized model serving (Red Hat RHAIIS/RHOAI)

MITRE ATLAS Techniques

AML.T0015 Evade AI Model

AML.T0043 Craft Adversarial Data

AML.T0043.003 Manual Modification

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.1.3

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.

Exploitation Scenario

An adversary targeting a vLLM-based content moderation service crafts JPEG images with EXIF orientation tags set to rotate the image 90 or 180 degrees, embedding prohibited content in an orientation that only becomes visible after the silent preprocessing transformation applied by vLLM. The submitted image appears completely benign to human reviewers and standard image viewers, but the model receives a rotated version that exposes the prohibited content — bypassing the content filter systematically. Alternatively, an attacker crafts PNG images where restricted content is encoded in transparent pixel regions using tRNS data; vLLM's RGB conversion renders those pixels fully visible to the model while they remain invisible in standard preview tools. In document analysis pipelines, the same technique could cause OCR or document-understanding models to misread rotated or corrupted text, subtly poisoning extracted data in downstream systems.

Weaknesses (CWE)

CWE-115 Misinterpretation of Input

CWE-115 — Misinterpretation of Input: The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Source: MITRE CWE corpus.