FKIE_CVE-2025-49847

Vulnerability from fkie_nvd - Published: 2025-06-17 20:15 - Updated: 2025-08-27 13:48
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
llama.cpp is an inference of several LLM models in C/C++. Prior to version b5662, an attacker‐supplied GGUF model vocabulary can trigger a buffer overflow in llama.cpp’s vocabulary‐loading code. Specifically, the helper _try_copy in llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece() casts a very large size_t token length into an int32_t, causing the length check (if (length < (int32_t)size)) to be bypassed. As a result, memcpy is still called with that oversized size, letting a malicious model overwrite memory beyond the intended buffer. This can lead to arbitrary memory corruption and potential code execution. This issue has been patched in version b5662.
References
security-advisories@github.comhttps://github.com/ggml-org/llama.cpp/commit/3cfbbdb44e08fd19429fed6cc85b982a91f0efd5Patch
security-advisories@github.comhttps://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8wwf-w4qm-gpqrMitigation, Vendor Advisory
Impacted products
Vendor Product Version
ggml llama.cpp *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ggml:llama.cpp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD259F6A-4B43-4B07-83A5-544F900CD023",
              "versionEndExcluding": "b5662",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "llama.cpp is an inference of several LLM models in C/C++. Prior to version b5662, an attacker\u2010supplied GGUF model vocabulary can trigger a buffer overflow in llama.cpp\u2019s vocabulary\u2010loading code. Specifically, the helper _try_copy in llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece() casts a very large size_t token length into an int32_t, causing the length check (if (length \u003c (int32_t)size)) to be bypassed. As a result, memcpy is still called with that oversized size, letting a malicious model overwrite memory beyond the intended buffer. This can lead to arbitrary memory corruption and potential code execution. This issue has been patched in version b5662."
    },
    {
      "lang": "es",
      "value": "llama.cpp es una inferencia de varios modelos LLM en C/C++. Antes de la versi\u00f3n b5662, un vocabulario de modelo GGUF proporcionado por un atacante pod\u00eda provocar un desbordamiento de b\u00fafer en el c\u00f3digo de carga de vocabulario de llama.cpp. Espec\u00edficamente, el asistente _try_copy en llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece() convierte una longitud de token size_t muy grande en un int32_t, lo que provoca que se omita la comprobaci\u00f3n de longitud (si (length \u0026lt; (int32_t)size)). Como resultado, se sigue llamando a memcpy con ese tama\u00f1o excesivo, lo que permite que un modelo malicioso sobrescriba la memoria m\u00e1s all\u00e1 del b\u00fafer previsto. Esto puede provocar corrupci\u00f3n de memoria arbitraria y la posible ejecuci\u00f3n de c\u00f3digo. Este problema se ha corregido en la versi\u00f3n b5662."
    }
  ],
  "id": "CVE-2025-49847",
  "lastModified": "2025-08-27T13:48:14.223",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-17T20:15:32.437",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ggml-org/llama.cpp/commit/3cfbbdb44e08fd19429fed6cc85b982a91f0efd5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8wwf-w4qm-gpqr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        },
        {
          "lang": "en",
          "value": "CWE-195"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.