Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 48581e3e45ee · 2026-01-13T18:46:12.000Z
GHSA-grg2-63fw-f2qr GHSA-qmgc-5h2g-mvrw
diff --git a/advisories/github-reviewed/2026/01/GHSA-grg2-63fw-f2qr/GHSA-grg2-63fw-f2qr.json b/advisories/github-reviewed/2026/01/GHSA-grg2-63fw-f2qr/GHSA-grg2-63fw-f2qr.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-grg2-63fw-f2qr",
+  "modified": "2026-01-13T18:44:15Z",
+  "published": "2026-01-13T18:44:15Z",
+  "aliases": [
+    "CVE-2026-22773"
+  ],
+  "summary": "vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions",
+  "details": "### Summary\nUsers can crash the vLLM engine serving multimodal models that use the _Idefics3_ vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination.\n\n### Details\nThe vulnerability is triggered when the image processor encounters a 1x1 pixel image with shape (1, 1, 3) in HWC (Height, Width, Channel) format. Due to the ambiguous dimensions, the processor incorrectly assumes the image is in CHW (Channel, Height, Width) format with shape (3, H, W). This misinterpretation causes an incorrect calculation of the number of image patches, resulting in a fatal tensor split operation failure.\n\n**Crash location**: `vllm/model_executor/models/idefics3.py` line 672:\n```python\ndef _process_image_input(self, image_input: ImageInputs) -> torch.Tensor | list[torch.Tensor]:\n    # ...\n    num_patches = image_input[\"num_patches\"]\n    return [e.flatten(0, 1) for e in image_features.split(num_patches.tolist())]\n```\n\nThe `split()` call fails because the computed `num_patches` value (17) does not match the actual tensor dimension (9):\n```\nRuntimeError: split_with_sizes expects split_sizes to sum exactly to 9 \n(input tensor's size at dimension 0), but got split_sizes=[17]\n```\n\nThis unhandled exception terminates the EngineCore process, crashing the server.\n\n#### Affected Models\nAny model using the Idefics3 architecture. The vulnerability was tested with `HuggingFaceTB/SmolVLM-Instruct`.\n\n### Impact\nDenial of service by crashing the engine\n\n### Mitigation\nValidating the input:\n```python\ndef _validate_image_dimensions(self, image_shape):\n    h, w = image_shape[:2] if len(image_shape) == 3 else image_shape\n    if h < MIN_IMAGE_SIZE or w < MIN_IMAGE_SIZE:\n        raise ValueError(f\"Image dimensions too small: {h}x{w}\")\n```\n\nManaging the exception:\n```python\ntry:\n    return [e.flatten(0, 1) for e in image_features.split(num_patches.tolist())]\nexcept RuntimeError as e:\n    logger.error(f\"Image processing failed: {e}\")\n    raise InvalidImageError(\"Failed to process image features\") from e\n```\n\n### Fixes\n\n* https://github.com/vllm-project/vllm/pull/29881",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "vllm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.6.4"
+            },
+            {
+              "fixed": "0.12.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22773"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/pull/29881"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/commit/0ec84221718d920c3f46da879cc354f94b8fb59e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vllm-project/vllm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T18:44:15Z",
+    "nvd_published_at": "2026-01-10T07:16:03Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-qmgc-5h2g-mvrw/GHSA-qmgc-5h2g-mvrw.json b/advisories/github-reviewed/2026/01/GHSA-qmgc-5h2g-mvrw/GHSA-qmgc-5h2g-mvrw.json
@@ -0,0 +1,71 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qmgc-5h2g-mvrw",
+  "modified": "2026-01-13T18:44:55Z",
+  "published": "2026-01-13T18:44:55Z",
+  "aliases": [
+    "CVE-2026-22701"
+  ],
+  "summary": "filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock",
+  "details": "## Vulnerability Summary\n\n**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock\n\n**Affected Component:** `filelock` package - `SoftFileLock` class\n**File:** `src/filelock/_soft.py` lines 17-27\n**CWE:** CWE-362, CWE-367, CWE-59\n\n---\n\n## Description\n\nA TOCTOU race condition vulnerability exists in the `SoftFileLock` implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.\n\nThe vulnerability occurs in the `_acquire()` method between `raise_on_not_writable_file()` (permission check) and `os.open()` (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.\n\n### Attack Scenario\n\n```\n1. Lock attempts to acquire on /tmp/app.lock\n2. Permission validation passes\n3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock\n4. os.open() tries to create lock file\n5. Lock operates on attacker-controlled target file or fails\n```\n\n---\n\n## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is a **Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability** affecting any application using `SoftFileLock` for inter-process synchronization.\n\n**Affected Users:**\n- Applications using `filelock.SoftFileLock` directly\n- Applications using the fallback `FileLock` on systems without `fcntl` support (e.g., GraalPy)\n\n**Consequences:**\n- **Silent lock acquisition failure** - applications may not detect that exclusive resource access is not guaranteed\n- **Denial of Service** - attacker can prevent lock file creation by maintaining symlink\n- **Resource serialization failures** - multiple processes may acquire \"locks\" simultaneously\n- **Unintended file operations** - lock could operate on attacker-controlled files\n\n**CVSS v4.0 Score:** 5.6 (Medium)\n**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N\n\n**Attack Requirements:**\n- Local filesystem access to the directory containing lock files\n- Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)\n- Ability to time the symlink creation during the narrow race window\n\n---\n\n## Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nYes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag to prevent symlink following during lock file creation.\n\n**Patched Version:** Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)\n\n**Mitigation Details:**\n- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades on platforms without support\n- On platforms with `O_NOFOLLOW` support (most modern systems): symlink attacks are completely prevented\n- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window remains but is documented\n\n**Users should:**\n- Upgrade to the patched version when available\n- For critical deployments, consider using `UnixFileLock` or `WindowsFileLock` instead of the fallback `SoftFileLock`\n\n---\n\n## Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nFor users unable to update immediately:\n\n1. **Avoid `SoftFileLock` in security-sensitive contexts** - use `UnixFileLock` or `WindowsFileLock` when available (these were already patched for CVE-2025-68146)\n\n2. **Restrict filesystem permissions** - prevent untrusted users from creating symlinks in lock file directories:\n   ```bash\n   chmod 700 /path/to/lock/directory\n   ```\n\n3. **Use process isolation** - isolate untrusted code from lock file paths to prevent symlink creation\n\n4. **Monitor lock operations** - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations\n\n---\n\n## References\n\n_Are there any links users can visit to find out more?_\n\n- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)\n- **CWE-362 (Concurrent Execution using Shared Resource):** https://cwe.mitre.org/data/definitions/362.html\n- **CWE-367 (Time-of-check Time-of-use Race Condition):** https://cwe.mitre.org/data/definitions/367.html\n- **CWE-59 (Improper Link Resolution Before File Access):** https://cwe.mitre.org/data/definitions/59.html\n- **O_NOFOLLOW documentation:** https://man7.org/linux/man-pages/man2/open.2.html\n- **GitHub Repository:** https://github.com/tox-dev/filelock\n\n---\n\n**Reported by:** George Tsigourakos (@tsigouris007)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "filelock"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.20.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22701"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/tox-dev/filelock"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-362",
+      "CWE-367",
+      "CWE-59"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T18:44:55Z",
+    "nvd_published_at": "2026-01-10T06:15:52Z"
+  }
+}
