Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
llama.cpp is an inference of several LLM models in C/C++. Prior to b7824, an integer overflow vulnerability in the ggml_nbytes function allows an attacker to bypass memory validation by crafting a GGUF file with specific tensor dimensions. This causes ggml_nbytes to return a significantly smaller size than required (e.g., 4MB instead of Exabytes), leading to a heap-based buffer overflow when the application subsequently processes the tensor. This vulnerability allows potential Remote Code Execution (RCE) via memory corruption. b7824 contains a fix.
AnalysisAI
Remote code execution in llama.cpp prior to commit b7824 is possible through a crafted GGUF file that exploits an integer overflow in the ggml_nbytes function, causing heap buffer overflow during tensor processing. An attacker can bypass memory validation by specifying tensor dimensions that cause the size calculation to underflow dramatically, allowing memory corruption and potential code execution. The vulnerability affects Debian and other systems running vulnerable versions of llama.cpp, with no patch currently available.
Technical ContextAI
llama.cpp is a C/C++ inference engine for Large Language Model (LLM) models developed by ggml-org. The vulnerability resides in the ggml_nbytes function which calculates memory size requirements for tensor operations. Due to an integer overflow (CWE-122: Heap-based Buffer Overflow), the function can return drastically incorrect size calculations—for example, reporting 4MB when the actual requirement is in the Exabytes range. This miscalculation bypasses memory allocation validation checks, allowing subsequent tensor processing operations to write beyond allocated heap boundaries. The affected product is identified via CPE cpe:2.3:a:ggml-org:llama.cpp:*:*:*:*:*:*:*:* and processes GGUF (GPT-Generated Unified Format) model files, which are used to store LLM weights and configurations.
RemediationAI
Upgrade llama.cpp to version b7824 or later, which contains a fix for the integer overflow vulnerability. The patched release is available at https://github.com/ggml-org/llama.cpp/releases/tag/b7824 and additional details are provided in the security advisory at https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-96jg-mvhq-q7q7. Until patching is completed, organizations should implement defense-in-depth measures including restricting GGUF file processing to trusted sources only, validating file integrity through cryptographic signatures, running llama.cpp in sandboxed or containerized environments with limited privileges, and implementing file scanning or validation before processing untrusted model files. Consider deploying application-level firewalls or runtime protection to detect heap corruption attempts.
Arbitrary memory write in llama.cpp's RPC server allows remote unauthenticated attackers to corrupt arbitrary memory add
Remote code execution in llama.cpp (commit 18c2e17) is possible when a user opens a malicious .gguf model file, triggeri
Remote code execution in llama.cpp (commit 18c2e17) is possible when a victim loads a malicious .gguf model file, trigge
Remote code execution in llama.cpp (GGUF library) allows attackers to achieve arbitrary code execution by tricking a use
Remote code execution in llama.cpp (commit 18c2e17) occurs when the GGUF library's gguf_fread_str function parses a mali
Heap-based buffer overflow in llama.cpp's GGUF library header parser (commit 18c2e17) enables code execution when a vict
Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary mem
llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Llama.cpp is LLM inference in C/C++. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no auth
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF
llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
llama.cpp provides LLM inference in C/C++. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Same weakness CWE-122 – Heap-based Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | vulnerable | 8064+dfsg-2 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14668