CVE-2026-34159

Published Apr 1, 2026

Last updated a month ago

CVSS critical 9.8
C++

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-34159 describes a vulnerability found in the `llama.cpp` project, specifically within its RPC backend. The flaw exists in the `deserialize_tensor()` function, which fails to perform bounds validation when a tensor's `buffer` field is set to zero. This oversight allows an unauthenticated attacker to read and write arbitrary process memory by sending specially crafted `GRAPH_COMPUTE` messages. When exploited in conjunction with pointer leaks from `ALLOC_BUFFER`/`BUFFER_GET_BASE` messages, this vulnerability can lead to a complete bypass of Address Space Layout Randomization (ASLR) and enable remote code execution. The attack requires only TCP access to the RPC server port and no authentication. The issue has been addressed in `llama.cpp` version b8492.

Description
llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0. An unauthenticated attacker can read and write arbitrary process memory via crafted GRAPH_COMPUTE messages. Combined with pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE, this gives full ASLR bypass and remote code execution. No authentication required, just TCP access to the RPC server port. This issue has been patched in version b8492.
Source
security-advisories@github.com
NVD status
Analyzed
Products
llama.cpp

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-119

Social media

Hype score
Not currently trending

  1. CVE-2026-34159: Exploiting llama.cpp’s RPC Server - From Null Buffer to RCE Against PIE + Full RELRO + NX https://t.co/02K9RBKBAN #cyber #threathunting #infosec

    @blueteamsec1

    31 May 2026

    593 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. CRITICAL: CVE-2026-34159 (CVSS 9.8) — ggml llama.cpp. CVE: CVE-2026-34159 CVSS: 9.8 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Severity: CRITICAL Status: Critical advisory

    @lyrie_ai

    12 May 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.CVE-2026-5928
  2. Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.CVE-2026-5450
  3. SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.CVE-2026-32725
  4. Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.CVE-2026-32877
  5. A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.CVE-2026-3650

References

Sources include official advisories and independent security research.