CVE-2026-34159
published 2026-04-01CVE-2026-34159: llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.13%
62.3th percentile
llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0. An unauthenticated attacker can read and write arbitrary process memory via crafted GRAPH_COMPUTE messages. Combined with pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE, this gives full ASLR bypass and remote code execution. No authentication required, just TCP access to the RPC server port. This issue has been patched in version b8492.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | llama.cpp | < llama.cpp 8611+dfsg-1 (sid) | llama.cpp 8611+dfsg-1 (sid) |
| ggml-org | llama.cpp | < b8492 | b8492 |
| ggml | llama.cpp | < b8492 | b8492 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated TCP connections to the llama.cpp RPC server port; any external access should be treated as suspicious given no authentication is required to exploit this vulnerability. ↗
- →Detect crafted RPC messages targeting deserialize_tensor() where the tensor's buffer field is set to 0, which bypasses all bounds validation and enables arbitrary memory read/write. ↗
- →Flag GRAPH_COMPUTE RPC messages arriving from unauthenticated/external sources as potential exploitation attempts for arbitrary process memory access. ↗
- →Detect sequences of ALLOC_BUFFER and BUFFER_GET_BASE RPC calls from unauthenticated clients, which may indicate an attacker performing pointer leak reconnaissance for ASLR bypass prior to RCE. ↗
- ·The llama.cpp RPC server requires no authentication by design (prior to patch b8492), meaning any network-level access to the RPC port is sufficient for exploitation. Restrict RPC server exposure to trusted networks or localhost only. ↗
- ·Patch to llama.cpp version b8492 or later (Debian: 8611+dfsg-1) to remediate the missing bounds validation in deserialize_tensor(). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-01
Published