CVE-2026-27940

Name of the Vulnerable Software and Affected Versions llama.cpp versions prior to b8146

Description llama.cpp is an inference engine for several Large Language Models (LLMs) written in C/C++. Before version b8146, the gguf init from file impl() function within the gguf.cpp file is susceptible to an integer overflow, resulting in an insufficient heap memory allocation. The subsequent use of fread() allows writing more than 528 bytes of attacker-controlled data beyond the buffer's boundaries. This issue bypasses a previously addressed similar error (CVE-2025-53630) because the initial fix did not cover all affected areas.

Recommendations Update to version b8146 or later.