CVE-2026-12491: Misinterpretation of Input in Red Hat Red Hat AI Inference Server
A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.
AI Analysis
Technical Summary
This vulnerability in the vLLM open-source library used by Red Hat AI Inference Server arises from incorrect processing of image metadata, including EXIF orientation and PNG transparency information. When images are converted to RGB format, transparency data may be discarded or remapped incorrectly, causing unexpected rendering of transparent pixels and distortion of the input image. This can affect the integrity of the data processed by the AI model, potentially leading to incorrect inference results. The CVSS 3.1 base score is 4.8 (medium severity), with network attack vector, high attack complexity, no privileges required, no user interaction, and limited impact on integrity and availability. There is no vendor advisory indication of an available patch or remediation level at this time.
Potential Impact
The vulnerability may cause the AI inference model to misinterpret image content due to distorted or incorrectly rendered transparent pixels. This impacts the integrity of the processed data. There is no confidentiality impact reported, and availability impact is limited. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12491 for current remediation guidance. No official fix or workaround is indicated in the advisory content provided. Users should monitor the vendor advisory for updates and apply any official patches once available.
CVE-2026-12491: Misinterpretation of Input in Red Hat Red Hat AI Inference Server
Description
A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.
CVSS v3.1
Score 4.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in the vLLM open-source library used by Red Hat AI Inference Server arises from incorrect processing of image metadata, including EXIF orientation and PNG transparency information. When images are converted to RGB format, transparency data may be discarded or remapped incorrectly, causing unexpected rendering of transparent pixels and distortion of the input image. This can affect the integrity of the data processed by the AI model, potentially leading to incorrect inference results. The CVSS 3.1 base score is 4.8 (medium severity), with network attack vector, high attack complexity, no privileges required, no user interaction, and limited impact on integrity and availability. There is no vendor advisory indication of an available patch or remediation level at this time.
Potential Impact
The vulnerability may cause the AI inference model to misinterpret image content due to distorted or incorrectly rendered transparent pixels. This impacts the integrity of the processed data. There is no confidentiality impact reported, and availability impact is limited. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12491 for current remediation guidance. No official fix or workaround is indicated in the advisory content provided. Users should monitor the vendor advisory for updates and apply any official patches once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-17T07:24:01.437Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-12491","vendor":"Red Hat"}]
Threat ID: 6a3280380b89be68882feed5
Added to database: 6/17/2026, 11:08:40 AM
Last enriched: 6/17/2026, 12:01:48 PM
Last updated: 6/17/2026, 5:22:07 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.