vLLM Image Metadata Handling CVE: EXIF/TPNG tRNS Vulnerability
CVE-2026-12491 Published on June 17, 2026

Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations
A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.

NVD

Vulnerability Analysis

CVE-2026-12491 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Misinterpretation of Input

The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.


Products Associated with CVE-2026-12491

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Ai Inference Server
 
Red Hat Enterprise Linux Ai
 
Red Hat Openshift Ai
 

Affected Versions

Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat AI Inference Server: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI): Red Hat OpenShift AI (RHOAI):