AVID-2026-R1473

Description

Use of Uninitialized Variable Vulnerability in llama.cpp (CVE-2024-32878)

Details

Llama.cpp is LLM inference in C/C++. There is a use of uninitialized heap variable vulnerability in gguf_init_from_file, the code will free this uninitialized variable later. In a simple POC, it will directly cause a crash. If the file is carefully constructed, it may be possible to control this uninitialized value and cause arbitrary address free problems. This may further lead to be exploited. Causes llama.cpp to crash (DoS) and may even lead to arbitrary code execution (RCE). This vulnerability has been patched in commit b2740.

Reason for inclusion in AVID: CVE-2024-32878 describes an uninitialized-variable vulnerability in llama.cpp, a library used for LLM inference. This is a software vulnerability in a component used in AI systems (models/inference stacks). It affects the AI software stack and could lead to DoS or arbitrary code execution, indicating a security/safety vulnerability. llama.cpp is a general-purpose AI tooling library, so this is within the software supply chain of general-purpose AI systems (dependencies, runtimes, model-serving/inference components). The report provides CVE details, CWE, CVSS, and references, giving sufficient signal for inclusion. No hardware/firmware-only issues are involved. Therefore, it should be kept for AVID curation as a GP AI supply chain vulnerability.

References

• NVD entry
• https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-p5mv-gjc5-mwqv
• https://github.com/ggerganov/llama.cpp/releases/tag/b2749

Affected or Relevant Artifacts

• Developer: Meta
• Deployer: ggerganov
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-26
• Version: 0.3.3
• AVID Entry