CVE-2026-21869

Name of the Vulnerable Software and Affected Versions llama.cpp versions prior to commit 55d4206c9

Description llama.cpp is an inference engine for several Large Language Models (LLMs) implemented in C/C++. The software parses the n discard parameter directly from JSON input in its completion endpoints without validating that it is non-negative. Supplying a negative value for this parameter, when the context is full, can lead to out-of-bounds memory writes within the llama memory seq rm/add function during the token evaluation loop. This memory corruption can result in a process crash or potentially enable remote code execution (RCE). The vulnerable component is the parsing of the n discard parameter in the completion API endpoints.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.