CVE-2026-21869CRITICAL 9.8EPSS p34.9%

CVE-2026-21869CVE-2026-21869

Description

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.9% · 2026-06-18T12:00:27Z
Published2026-01-08
Last modified2026-02-02

Underlying weaknesses· 1

CWE-787

References

  1. https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8947-pfff-2f3c
  2. https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8947-pfff-2f3c

1

TypeTargetConfidenceTier
WeaknessOut-of-bounds Writecwe-7870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-52566
CVE
CVE-2026-34159
CVE
CVE-2025-49847
CVE
CVE-2025-62164
CVE
CVE-2025-5302
CVE
CVE-2026-7482
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.