CVE-2024-42479
CVE-2024-42479 is a critical-severity vulnerability in Ggml Llama.cpp with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 3% (84th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-39639
- Weakness: CWE-787
- Affected product: Ggml Llama.cpp
- Published:
- Last modified:
Description
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561.
Frequently asked questions
- What is CVE-2024-42479?
- llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561.
- How severe is CVE-2024-42479?
- CVE-2024-42479 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-42479 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (84th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-42479?
- CVE-2024-42479 affects Ggml Llama.cpp. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-42479?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-42479 have an EU (EUVD) identifier?
- Yes. CVE-2024-42479 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-39639.
- When was CVE-2024-42479 published?
- CVE-2024-42479 was published on 2024-08-12 and last updated on 2026-06-17.
References
- https://github.com/ggerganov/llama.cpp/commit/b72942fac998672a79a1ae3c03b340f7e629980b
- https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj
Affected products (1)
- cpe:2.3:a:ggml:llama.cpp:*:*:*:*:*:*:*:*
More vulnerabilities in Ggml Llama.cpp
- CVE-2026-34159 — Critical (CVSS 9.8): llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's…
- CVE-2026-21869 — High (CVSS 8.8): llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is…
- CVE-2025-49847 — High (CVSS 8.8): llama.cpp is an inference of several LLM models in C/C++. Prior to version b5662, an attacker‐supplied GGUF model…
- CVE-2024-23605 — High (CVSS 8.8): A heap-based buffer overflow vulnerability exists in the GGUF library header.n_kv functionality of llama.cpp Commit…
- CVE-2024-23496 — High (CVSS 8.8): A heap-based buffer overflow vulnerability exists in the GGUF library gguf_fread_str functionality of llama.cpp Commit…
- CVE-2024-21836 — High (CVSS 8.8): A heap-based buffer overflow vulnerability exists in the GGUF library header.n_tensors functionality of llama.cpp…
All CVEs affecting Ggml Llama.cpp →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…
- CVE-2023-45318 — Critical (CVSS 10.0): A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git…