Skip to main content

Llama Cpp CVE-2024-42478

MEDIUM
Out-of-bounds Read (CWE-125)
2024-08-12 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 12, 2024 - 15:15 github-advisory
MEDIUM 5.3

DescriptionGitHub Advisory

llama.cpp provides LLM inference in C/C++. The unsafe data pointer member in the rpc_tensor structure can cause arbitrary address reading. This vulnerability is fixed in b3561.

AnalysisAI

llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. llama.cpp provides LLM inference in C/C++. The unsafe data pointer member in the rpc_tensor structure can cause arbitrary address reading. This vulnerability is fixed in b3561. Affected products include: Ggml Llama.Cpp.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

CVE-2024-42479 CRITICAL POC
10.0 Aug 12

Arbitrary memory write in llama.cpp's RPC server allows remote unauthenticated attackers to corrupt arbitrary memory add

CVE-2024-21802 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (commit 18c2e17) is possible when a user opens a malicious .gguf model file, triggeri

CVE-2024-21825 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (commit 18c2e17) is possible when a victim loads a malicious .gguf model file, trigge

CVE-2024-23605 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (GGUF library) allows attackers to achieve arbitrary code execution by tricking a use

CVE-2024-23496 HIGH POC
8.8 Feb 26

Remote code execution in llama.cpp (commit 18c2e17) occurs when the GGUF library's gguf_fread_str function parses a mali

CVE-2024-21836 HIGH POC
8.8 Feb 26

Heap-based buffer overflow in llama.cpp's GGUF library header parser (commit 18c2e17) enables code execution when a vict

CVE-2026-34159 CRITICAL
9.8 Apr 01

Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary mem

CVE-2024-32878 HIGH
8.8 Apr 26

Llama.cpp is LLM inference in C/C++. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no auth

CVE-2026-33298 HIGH
7.8 Mar 24

Remote code execution in llama.cpp prior to commit b7824 is possible through a crafted GGUF file that exploits an intege

CVE-2026-27940 HIGH
7.8 Mar 12

Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF

CVE-2024-41130 MEDIUM
6.5 Jul 22

llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2024-42477 MEDIUM
5.3 Aug 12

llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,

Share

CVE-2024-42478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy