CVE-2026-5201: vLLM JPEG heap overflow crashes vLLM

CISO Take

A heap buffer overflow in gdk-pixbuf's JPEG image loader (CWE-122) allows a remote, unauthenticated attacker to crash any application processing attacker-controlled JPEG images — no user interaction required (AV:N/AC:L/PR:N/UI:N). The AI-specific risk is direct: Red Hat's RHAIIS vLLM container images (vllm-cuda-rhel9, vllm-rocm-rhel9, vllm-spyre-rhel9) bundle gdk-pixbuf as a dependency, meaning a crafted JPEG submitted to a multimodal inference endpoint can take down the entire serving container, with 130 downstream dependents amplifying the blast radius across Red Hat-based AI stacks. No public exploit or KEV listing exists yet, but the trivial exploit path and broad enterprise adoption of Red Hat AI infrastructure prompted at least 10 vendor advisories (RHSA-2026:10707 through RHSA-2026:12061). Rebuild vLLM containers from patched Red Hat base images immediately and add JPEG validation at the API gateway as a defence-in-depth control.

Sources: NVD ATLAS Red Hat Security Advisory (access.redhat.com)

What is the risk?

Moderate-to-high risk for organizations running Red Hat AI Infrastructure Service vLLM containers in production. The exploit requires zero authentication and zero user interaction, making it trivially weaponizable for sustained availability attacks against AI inference endpoints. Impact is strictly DoS (CVSS C:N/I:N/A:H) — no remote code execution is indicated — which limits severity, but availability of inference infrastructure is often a critical business function for AI-dependent products. The package history of 53 prior CVEs and a risk score of 61/100 signals persistent quality debt in gdk-pixbuf. Absence from CISA KEV and no known public exploit reduce immediate urgency; however, the ease of exploitation (low complexity, no credentials) means weaponization is a matter of when, not if.

How does the attack unfold?

Craft Malformed JPEG

Attacker constructs a JPEG image with an invalid color component count that bypasses application-level checks but triggers the heap buffer overflow in gdk-pixbuf's low-level JPEG parser.

Submit to Inference API

Attacker submits the crafted JPEG to the multimodal vLLM inference endpoint via /v1/chat/completions with an image payload, requiring no authentication on a default deployment.

AML.T0049

Heap Overflow Triggered

gdk-pixbuf's JPEG loader writes beyond the allocated heap buffer while processing the malformed color component data inside the RHAIIS container, causing an immediate process crash.

AI Service Disrupted

The vLLM inference container crashes and becomes unavailable; repeated automated requests maintain persistent DoS of the inference endpoint for the duration of the attack.

AML.T0029

Craft Malformed JPEG

Attacker constructs a JPEG image with an invalid color component count that bypasses application-level checks but triggers the heap buffer overflow in gdk-pixbuf's low-level JPEG parser.

Submit to Inference API

Attacker submits the crafted JPEG to the multimodal vLLM inference endpoint via /v1/chat/completions with an image payload, requiring no authentication on a default deployment.

AML.T0049

Heap Overflow Triggered

gdk-pixbuf's JPEG loader writes beyond the allocated heap buffer while processing the malformed color component data inside the RHAIIS container, causing an immediate process crash.

AI Service Disrupted

The vLLM inference container crashes and becomes unavailable; repeated automated requests maintain persistent DoS of the inference endpoint for the duration of the attack.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
gdk-pixbuf2	—	—	No patch
glycin-loaders	—	—	No patch
librsvg2	—	—	No patch
loupe	—	—	No patch
papers	—	—	No patch
rhaiis/model-opt-cuda-rhel9	—	—	No patch
snapshot	—	—	No patch

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

Apply Red Hat patches immediately: update gdk-pixbuf2 and dependent RHAIIS container images per advisories RHSA-2026:10707 through RHSA-2026:12061.
Rebuild and redeploy all vLLM container images using patched base images from the Red Hat registry — verify with rpm -q gdk-pixbuf2 inside running containers.
Add API-gateway input validation: reject JPEG files with anomalous color component counts before they reach the inference container; a dedicated image-validation sidecar or reverse proxy rule is sufficient.
Apply network segmentation to limit direct internet exposure of vLLM inference endpoints; require authenticated access where possible.
Configure container orchestration (Kubernetes, OpenShift) with liveness probes and auto-restart policies as a resilience backstop during the patch window.
Audit any other containers in the AI stack for transitive gdk-pixbuf dependency using docker inspect or syft SBOM generation.

How is it classified?

DoS Inference AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system operational continuity

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-5201?

A heap buffer overflow in gdk-pixbuf's JPEG image loader (CWE-122) allows a remote, unauthenticated attacker to crash any application processing attacker-controlled JPEG images — no user interaction required (AV:N/AC:L/PR:N/UI:N). The AI-specific risk is direct: Red Hat's RHAIIS vLLM container images (vllm-cuda-rhel9, vllm-rocm-rhel9, vllm-spyre-rhel9) bundle gdk-pixbuf as a dependency, meaning a crafted JPEG submitted to a multimodal inference endpoint can take down the entire serving container, with 130 downstream dependents amplifying the blast radius across Red Hat-based AI stacks. No public exploit or KEV listing exists yet, but the trivial exploit path and broad enterprise adoption of Red Hat AI infrastructure prompted at least 10 vendor advisories (RHSA-2026:10707 through RHSA-2026:12061). Rebuild vLLM containers from patched Red Hat base images immediately and add JPEG validation at the API gateway as a defence-in-depth control.

Is CVE-2026-5201 actively exploited?

No confirmed active exploitation of CVE-2026-5201 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-5201?

1. Apply Red Hat patches immediately: update gdk-pixbuf2 and dependent RHAIIS container images per advisories RHSA-2026:10707 through RHSA-2026:12061. 2. Rebuild and redeploy all vLLM container images using patched base images from the Red Hat registry — verify with `rpm -q gdk-pixbuf2` inside running containers. 3. Add API-gateway input validation: reject JPEG files with anomalous color component counts before they reach the inference container; a dedicated image-validation sidecar or reverse proxy rule is sufficient. 4. Apply network segmentation to limit direct internet exposure of vLLM inference endpoints; require authenticated access where possible. 5. Configure container orchestration (Kubernetes, OpenShift) with liveness probes and auto-restart policies as a resilience backstop during the patch window. 6. Audit any other containers in the AI stack for transitive gdk-pixbuf dependency using `docker inspect` or `syft` SBOM generation.

What systems are affected by CVE-2026-5201?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference containers, multimodal inference pipelines.

What is the CVSS score for CVE-2026-5201?

CVE-2026-5201 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

model servingLLM inference containersmultimodal inference pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.

Exploitation Scenario

An adversary targeting an organization's publicly exposed multimodal LLM inference endpoint (e.g., a vLLM API accepting image+text prompts for a vision-language model) crafts a JPEG with a malformed color component header that exceeds expected bounds. The attacker submits this image via the standard `/v1/chat/completions` endpoint with an image payload — no credentials required on an unauthenticated deployment. When gdk-pixbuf processes the image during preprocessing or thumbnail generation inside the RHAIIS container, the heap buffer overflow triggers and the vLLM serving process crashes. Without auto-restart, this results in sustained inference downtime; with auto-restart, the attacker can send repeated crafted requests to maintain a persistent DoS loop. Against a SaaS AI product, this could constitute a service disruption attack targeting a competitor or a precursor to extracting value from downtime (e.g., during an SLA breach window).

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Pre-design: Use a language or compiler that performs automatic bounds checking.
[Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.