cbcvebase.
CVE-2026-34159
published 2026-04-01

CVE-2026-34159: llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.13%
62.3th percentile
llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0. An unauthenticated attacker can read and write arbitrary process memory via crafted GRAPH_COMPUTE messages. Combined with pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE, this gives full ASLR bypass and remote code execution. No authentication required, just TCP access to the RPC server port. This issue has been patched in version b8492.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianllama.cpp< llama.cpp 8611+dfsg-1 (sid)llama.cpp 8611+dfsg-1 (sid)
ggml-orgllama.cpp< b8492b8492
ggmlllama.cpp< b8492b8492

Detection & IOCsextracted from sources · hover to see the quote

commandGRAPH_COMPUTE
commandALLOC_BUFFER
commandBUFFER_GET_BASE
  • Monitor for unauthenticated TCP connections to the llama.cpp RPC server port; any external access should be treated as suspicious given no authentication is required to exploit this vulnerability.
  • Detect crafted RPC messages targeting deserialize_tensor() where the tensor's buffer field is set to 0, which bypasses all bounds validation and enables arbitrary memory read/write.
  • Flag GRAPH_COMPUTE RPC messages arriving from unauthenticated/external sources as potential exploitation attempts for arbitrary process memory access.
  • Detect sequences of ALLOC_BUFFER and BUFFER_GET_BASE RPC calls from unauthenticated clients, which may indicate an attacker performing pointer leak reconnaissance for ASLR bypass prior to RCE.
  • ·The llama.cpp RPC server requires no authentication by design (prior to patch b8492), meaning any network-level access to the RPC port is sufficient for exploitation. Restrict RPC server exposure to trusted networks or localhost only.
  • ·Patch to llama.cpp version b8492 or later (Debian: 8611+dfsg-1) to remediate the missing bounds validation in deserialize_tensor().

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.