CVE-2024-32878

Name of the Vulnerable Software and Affected Versions Llama.cpp versions prior to the version patched in commit b2740

Description The issue is related to the use of an uninitialized heap variable in the gguf init from file function. This can cause the program to crash, leading to a denial of service (DoS). If the file is carefully constructed, it may be possible to control the uninitialized value, potentially causing arbitrary address free problems and leading to exploitation. This could result in arbitrary code execution (RCE).

Recommendations For versions prior to the patch in commit b2740, update to a version that includes the patch to resolve the issue. As a temporary workaround, consider restricting the use of the gguf init from file function until the patch is applied.