Skip to main content

Llama Cpp CVE-2024-32878

HIGH
Missing Initialization of a Variable (CWE-456)
2024-04-26 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 26, 2024 - 21:15 nvd
HIGH 8.8

DescriptionNVD

Llama.cpp is LLM inference in C/C++. There is a use of uninitialized heap variable vulnerability in gguf_init_from_file, the code will free this uninitialized variable later. In a simple POC, it will directly cause a crash. If the file is carefully constructed, it may be possible to control this uninitialized value and cause arbitrary address free problems. This may further lead to be exploited. Causes llama.cpp to crash (DoS) and may even lead to arbitrary code execution (RCE). This vulnerability has been patched in commit b2740.

AnalysisAI

Llama.cpp is LLM inference in C/C++. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-456. Llama.cpp is LLM inference in C/C++. There is a use of uninitialized heap variable vulnerability in gguf_init_from_file, the code will free this uninitialized variable later. In a simple POC, it will directly cause a crash. If the file is carefully constructed, it may be possible to control this uninitialized value and cause arbitrary address free problems. This may further lead to be exploited. Causes llama.cpp to crash (DoS) and may even lead to arbitrary code execution (RCE). This vulnerability has been patched in commit b2740. Affected products include: Ggml Llama.Cpp.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-42479 CRITICAL POC
10.0 Aug 12

Arbitrary memory write in llama.cpp's RPC server allows remote unauthenticated attackers to corrupt arbitrary memory add

CVE-2024-21802 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (commit 18c2e17) is possible when a user opens a malicious .gguf model file, triggeri

CVE-2024-21825 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (commit 18c2e17) is possible when a victim loads a malicious .gguf model file, trigge

CVE-2024-23605 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (GGUF library) allows attackers to achieve arbitrary code execution by tricking a use

CVE-2024-23496 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (commit 18c2e17) occurs when the GGUF library's gguf_fread_str function parses a mali

CVE-2024-21836 HIGH POC
8.8 Feb 26

Heap-based buffer overflow in llama.cpp's GGUF library header parser (commit 18c2e17) enables code execution when a vict

CVE-2026-34159 CRITICAL
9.8 Apr 01

Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary mem

CVE-2024-42478 MEDIUM POC
5.3 Aug 12

llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,

CVE-2026-33298 HIGH
7.8 Mar 24

Remote code execution in llama.cpp prior to commit b7824 is possible through a crafted GGUF file that exploits an intege

CVE-2026-27940 HIGH
7.8 Mar 12

Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF

CVE-2024-41130 MEDIUM
6.5 Jul 22

llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2024-42477 MEDIUM
5.3 Aug 12

llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,

Share

CVE-2024-32878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy