CVE-2025-49847

llama.cpp is an inference of several LLM models in C/C++. Prior to version b5662, an attacker‐supplied GGUF model vocabulary can trigger a buffer overflow in llama.cpp’s vocabulary‐loading code. Specifically, the helper _try_copy in llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece() casts a very large size_t token length into an int32_t, causing the length check (if (length < (int32_t)size)) to be bypassed. As a result, memcpy is still called with that oversized size, letting a malicious model overwrite memory beyond the intended buffer. This can lead to arbitrary memory corruption and potential code execution. This issue has been patched in version b5662.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ggml-org/llama.cpp/commit/3cfbbdb44e08fd19429fed6cc85b982a91f0efd5	Patch
https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8wwf-w4qm-gpqr	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ggml:llama.cpp:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-06-17 20:15

Updated : 2025-08-27 13:48

NVD link : CVE-2025-49847

Mitre link : CVE-2025-49847

CVE.ORG link : CVE-2025-49847

JSON object : View

Products Affected

ggml

llama.cpp

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-195

Signed to Unsigned Conversion Error

{"id": "CVE-2025-49847", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-06-17T20:15:32.437", "references": [{"url": "https://github.com/ggml-org/llama.cpp/commit/3cfbbdb44e08fd19429fed6cc85b982a91f0efd5", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8wwf-w4qm-gpqr", "tags": ["Mitigation", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-195"}]}], "descriptions": [{"lang": "en", "value": "llama.cpp is an inference of several LLM models in C/C++. Prior to version b5662, an attacker\u2010supplied GGUF model vocabulary can trigger a buffer overflow in llama.cpp\u2019s vocabulary\u2010loading code. Specifically, the helper _try_copy in llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece() casts a very large size_t token length into an int32_t, causing the length check (if (length < (int32_t)size)) to be bypassed. As a result, memcpy is still called with that oversized size, letting a malicious model overwrite memory beyond the intended buffer. This can lead to arbitrary memory corruption and potential code execution. This issue has been patched in version b5662."}, {"lang": "es", "value": "llama.cpp es una inferencia de varios modelos LLM en C/C++. Antes de la versi\u00f3n b5662, un vocabulario de modelo GGUF proporcionado por un atacante pod\u00eda provocar un desbordamiento de b\u00fafer en el c\u00f3digo de carga de vocabulario de llama.cpp. Espec\u00edficamente, el asistente _try_copy en llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece() convierte una longitud de token size_t muy grande en un int32_t, lo que provoca que se omita la comprobaci\u00f3n de longitud (si (length < (int32_t)size)). Como resultado, se sigue llamando a memcpy con ese tama\u00f1o excesivo, lo que permite que un modelo malicioso sobrescriba la memoria m\u00e1s all\u00e1 del b\u00fafer previsto. Esto puede provocar corrupci\u00f3n de memoria arbitraria y la posible ejecuci\u00f3n de c\u00f3digo. Este problema se ha corregido en la versi\u00f3n b5662."}], "lastModified": "2025-08-27T13:48:14.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ggml:llama.cpp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD259F6A-4B43-4B07-83A5-544F900CD023", "versionEndExcluding": "b5662"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}