JustAppSec
Back to news

llama.cpp discloses unauthenticated RPC RCE via buffer=0 bypass

2 min readPublished 01 Apr 2026Updated 01 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-34159NewsAIAI SecurityMemory Safety

TL;DR - llama.cpp's RPC backend deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0. Crafted GRAPH_COMPUTE over TCP gives arbitrary memory read/write. Combine with pointer leaks from ALLOC_BUFFER / BUFFER_GET_BASE for ASLR bypass and unauth RCE. Just TCP access required.

What happened

llama.cpp is the widely used C/C++ inference implementation for running LLMs locally and in server deployments.

CVE-2026-34159 (Critical, CVSS 9.8): unauthenticated RCE in the RPC backend. deserialize_tensor() skips all bounds validation when buffer == 0, giving arbitrary process memory read/write via crafted GRAPH_COMPUTE messages. Combine with pointer leaks from ALLOC_BUFFER / BUFFER_GET_BASE to bypass ASLR. CVE notes the only prerequisite is TCP access to the RPC server port.

Unauth memory-corruption primitives over a network protocol remain high-signal exploitation, and LLM inference servers are increasingly deployed as always-on internal infra with broad network reachability.

Who is impacted

  • Deployments exposing the llama.cpp RPC backend to untrusted networks (the CVE record explicitly states the only prerequisite is TCP access to the RPC server port).
ComponentAffected versions (per CVE record)Patched versions / solution status
llama.cpp< b8492CVE record states “patched in version b8492”; the linked GitHub advisory page lists Patched versions: None and Affected versions: <= b7991 (treat fixed-version guidance as ambiguous until you validate against your exact build/release flow)

What to do now

  • Follow upstream remediation guidance and apply the latest patched build/release available at the time of writing for llama.cpp RPC deployments.

    • "This issue has been patched in version b8492."

  • Treat network reachability as the primary risk gate: restrict access to the RPC server port to trusted clients only (segmentation, firewall rules, security groups).
  • Inventory where the RPC backend is enabled (container images, systemd services, Helm charts) and prioritize patching/containment for any GPU hosts reachable from broad internal networks.
  • If compromise is suspected, review service logs/telemetry for anomalous RPC activity around GRAPH_COMPUTE behavior and initiate standard incident response for a potential code-execution event on the host.

Additional Information

  • The CVE record includes CISA ADP SSVC enrichment indicating: Exploitation: poc, Automatable: yes, Technical Impact: total.
  • Upstream references in the CVE record include the GitHub Security Advisory (GHSA-j8rj-fmpv-wcxw), the fixing pull request (#20908), and a specific fixing commit hash.

Related

Training

Need help?Get in touch.