UBUNTU-CVE-2026-21869

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-21869
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-21869.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-21869
Upstream
Published
2026-01-08T00:16:00Z
Modified
2026-02-04T23:58:08.692271Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the ndiscard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llamamemoryseqrm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication.

References

Affected packages

Ubuntu:25.10 / llama.cpp

Package

Name
llama.cpp
Purl
pkg:deb/ubuntu/llama.cpp@5882+dfsg-2?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

Other
5318+dfsg-1
5318+dfsg-2
5713+dfsg-1
5760+dfsg-1
5760+dfsg-3
5760+dfsg-4
5882+dfsg-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "5882+dfsg-2",
            "binary_name": "llama.cpp"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-21869.json"