CVE-2025-49847 – A buffer overflow vulnerability in llama.cpp's ... (How to Fix)

Q: What is the severity of CVE-2025-49847?

CVE-2025-49847 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in llama.cpp's vocabulary loading code allows attackers to trigger arbitrary memory corruption via malicious GGUF model files. This can potentially lead to remote code execution when processing untrusted models. All systems running vulnerable versions of llama.cpp that load external models are affected.

📋 TL;DR

A buffer overflow vulnerability in llama.cpp's vocabulary loading code allows attackers to trigger arbitrary memory corruption via malicious GGUF model files. This can potentially lead to remote code execution when processing untrusted models. All systems running vulnerable versions of llama.cpp that load external models are affected.

💻 Affected Systems

Products:

llama.cpp

Versions: All versions prior to b5662

Operating Systems: All platforms running llama.cpp

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when loading GGUF model files with malicious vocabulary data.

📦 What is this software?

Llama.cpp by Ggml

View all CVEs affecting Llama.cpp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the llama.cpp process, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unstable behavior.

🟢

If Mitigated

Limited impact if models are from trusted sources only and proper sandboxing is in place.

🌐 Internet-Facing: HIGH if llama.cpp processes user-uploaded models from untrusted sources.

🏢 Internal Only: MEDIUM if models are from internal sources, but still vulnerable to supply chain attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to load a malicious GGUF model file. No authentication needed if model loading is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: b5662 and later

Vendor Advisory: https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8wwf-w4qm-gpqr

Restart Required: Yes

Instructions:

1. Update llama.cpp to version b5662 or later. 2. Recompile any applications using llama.cpp. 3. Restart services using llama.cpp.

🔧 Temporary Workarounds

Restrict model sources

all

Only load GGUF models from trusted, verified sources. Implement strict validation of model files before processing.

Sandbox execution

all

Run llama.cpp in a sandboxed environment with limited privileges to contain potential exploitation.

🧯 If You Can't Patch

Implement strict input validation for GGUF model files before passing to llama.cpp
Run llama.cpp with minimal privileges and in isolated containers

🔍 How to Verify

Check if Vulnerable:

Check llama.cpp version: if earlier than b5662, vulnerable. Also check if application loads external GGUF models.

Check Version:

Check build version in source or compiled binary metadata

Verify Fix Applied:

Verify version is b5662 or later and test with known safe GGUF models.

📡 Detection & Monitoring

Log Indicators:

Application crashes when loading models
Memory access violation errors
Unexpected process termination

Network Indicators:

Unusual model file downloads from untrusted sources

SIEM Query:

Process:llama.cpp AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2025-49847

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.12% exploit probability (31.3th percentile)

Published: June 17, 2025

Last Updated: August 27, 2025

🔗 References

https://github.com/ggml-org/llama.cpp/commit/3cfbbdb44e08fd19429fed6cc85b982a91f0efd5 Patch
https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8wwf-w4qm-gpqr Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49847, you might also want to check these: