CVE-2026-10298
Null Pointer Dereference in Whisper.cpp
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ggml-org | whisper.cpp | to 1.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in the ggml-org whisper.cpp project, specifically affecting the function whisper_model_load in the file ggml/src/ggml.c. The flaw causes a null pointer dereference, which means the program attempts to access or manipulate memory through a pointer that is not properly initialized or is set to null.
Exploitation of this vulnerability requires local access to the system, and the exploit code has been publicly released, making it possible for attackers with local access to trigger this flaw.
How can this vulnerability impact me? :
The impact of this vulnerability is limited to causing a denial of service condition through a null pointer dereference. This means that an attacker with local access could cause the affected application to crash or become unavailable.
There is no indication that this vulnerability leads to information disclosure, privilege escalation, or other more severe impacts.