UBUNTU-CVE-2026-34159

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-34159

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34159.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-34159

Upstream

CVE-2026-34159

Published

2026-04-01T18:16:00Z

Modified

2026-05-14T14:40:28.913928Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserializetensor() skips all bounds validation when a tensor's buffer field is 0. An unauthenticated attacker can read and write arbitrary process memory via crafted GRAPHCOMPUTE messages. Combined with pointer leaks from ALLOCBUFFER/BUFFERGET_BASE, this gives full ASLR bypass and remote code execution. No authentication required, just TCP access to the RPC server port. This issue has been patched in version b8492.

References

Affected packages

Ubuntu:25.10 / llama.cpp

Package

Name: llama.cpp
Purl: pkg:deb/ubuntu/llama.cpp@5882+dfsg-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

Other

5318+dfsg-1

5318+dfsg-2

5713+dfsg-1

5760+dfsg-1

5760+dfsg-3

5760+dfsg-4

5882+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "5882+dfsg-2",
            "binary_name": "llama.cpp"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34159.json"