CVE-2026-33298
Received Received - Intake

Heap-Based Buffer Overflow in llama.cpp Allows Remote Code Execution

Vulnerability report for CVE-2026-33298, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description

llama.cpp is an inference of several LLM models in C/C++. Prior to b7824, an integer overflow vulnerability in the `ggml_nbytes` function allows an attacker to bypass memory validation by crafting a GGUF file with specific tensor dimensions. This causes `ggml_nbytes` to return a significantly smaller size than required (e.g., 4MB instead of Exabytes), leading to a heap-based buffer overflow when the application subsequently processes the tensor. This vulnerability allows potential Remote Code Execution (RCE) via memory corruption. b7824 contains a fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-04-30
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ggml llama.cpp to b7824 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the llama.cpp project, which is a C/C++ implementation for running large language models. The flaw is an integer overflow in the function `ggml_nbytes` that calculates the memory size needed for a tensor. By crafting a specially designed GGUF file with specific tensor dimensions, an attacker can cause this function to underestimate the required memory size significantly.

Because the size is underestimated (for example, 4MB instead of exabytes), the program allocates a smaller buffer than needed. When the tensor is processed, this leads to a heap-based buffer overflow, which can corrupt memory.

This memory corruption can be exploited to achieve remote code execution (RCE) or cause denial of service (DoS). The vulnerability was fixed in commit b7824 by adding proper checks to prevent integer overflow and validate tensor sizes.

Impact Analysis

If you use llama.cpp to load GGUF model files, an attacker could craft a malicious GGUF file that triggers this vulnerability.

  • Heap-based buffer overflow leading to memory corruption.
  • Potential remote code execution (RCE), allowing an attacker to run arbitrary code on your system.
  • Denial of service (DoS) by crashing the application.

The vulnerability requires local access to load the malicious file and some user interaction, but no special privileges are needed.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from processing malicious GGUF files with crafted tensor dimensions that cause an integer overflow in the ggml_nbytes function. Detection involves identifying usage of vulnerable versions of llama.cpp prior to commit b7824 and monitoring for suspicious GGUF files with abnormally large tensor dimensions.

Since the vulnerability is triggered by loading malicious GGUF files, you can detect attempts by scanning for GGUF files with suspiciously large tensor dimensions or by verifying the version of llama.cpp in use.

Suggested commands include:

  • Check the version of llama.cpp in your environment to ensure it is at or beyond commit b7824.
  • Use file inspection or custom scripts to analyze GGUF files for tensor dimensions that could cause integer overflow, for example, dimensions with very large values like those exceeding 2^40.
  • Monitor application logs for crashes or memory corruption errors when loading GGUF files.
Mitigation Strategies

The primary mitigation is to update llama.cpp to the fixed version b7824 or later, which includes checks to prevent integer overflow in tensor size calculations.

Additional immediate steps include:

  • Avoid loading untrusted or unaudited GGUF files that could contain malicious tensor dimensions.
  • Implement strict input validation on GGUF files to ensure tensor sizes are within safe and representable limits before processing.
  • If updating is not immediately possible, consider sandboxing or restricting the execution environment of applications using llama.cpp to limit potential damage from exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart