llama.cpp discloses unauthenticated RPC RCE via buffer=0 bypass

2 min readPublished 01 Apr 2026Updated 01 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-34159 News AI Memory Safety

TL;DR — A critical llama.cpp RPC backend bounds-check bypass enables unauthenticated remote code execution for any attacker who can reach the RPC TCP port.

What happened

llama.cpp is a widely used C/C++ inference implementation for running LLMs locally and in server deployments.

CVE-2026-34159 describes a critical unauthenticated remote code execution issue in the RPC backend: deserialize_tensor() “skips all bounds validation when a tensor's buffer field is 0,” allowing an attacker to read and write arbitrary process memory via crafted GRAPH_COMPUTE messages. The CVE record states this can be combined with pointer leaks from ALLOC_BUFFER / BUFFER_GET_BASE to achieve full ASLR bypass and RCE, with “no authentication required, just TCP access to the RPC server port.”

Severity is CVSS v3.1 9.8 (Critical). Unauthenticated memory-corruption primitives exposed over a network protocol remain a high-signal exploitation pattern, and LLM inference services are increasingly deployed as always-on internal infrastructure (often with broad network reachability).

Who is impacted

Deployments exposing the llama.cpp RPC backend to untrusted networks (the CVE record explicitly states the only prerequisite is TCP access to the RPC server port).

Component	Affected versions (per CVE record)	Patched versions / solution status
`llama.cpp`	`< b8492`	CVE record states “patched in version `b8492`”; the linked GitHub advisory page lists `Patched versions: None` and `Affected versions: <= b7991` (treat fixed-version guidance as ambiguous until you validate against your exact build/release flow)

What to do now

Follow upstream remediation guidance and apply the latest patched build/release available at the time of writing for llama.cpp RPC deployments.
- "This issue has been patched in version b8492."
Treat network reachability as the primary risk gate: restrict access to the RPC server port to trusted clients only (segmentation, firewall rules, security groups).
Inventory where the RPC backend is enabled (container images, systemd services, Helm charts) and prioritize patching/containment for any GPU hosts reachable from broad internal networks.
If compromise is suspected, review service logs/telemetry for anomalous RPC activity around GRAPH_COMPUTE behavior and initiate standard incident response for a potential code-execution event on the host.

Additional Information

The CVE record includes CISA ADP SSVC enrichment indicating: Exploitation: poc, Automatable: yes, Technical Impact: total.
Upstream references in the CVE record include the GitHub Security Advisory (GHSA-j8rj-fmpv-wcxw), the fixing pull request (#20908), and a specific fixing commit hash.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.