CVE-2026-12491 PUBLISHED

Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations

Assigner: redhat
Reserved: 17.06.2026 Published: 17.06.2026 Updated: 17.06.2026

A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 4.8

Product Status

Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat AI Inference Server
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: affected

References

Problem Types

  • Misinterpretation of Input CWE