YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

llama.cpp GGML_PAD Integer Overflow PoC

Vulnerability

Type: Integer Overflow in GGML_PAD -> Heap Buffer Overflow (CWE-190 -> CWE-122) Location: ggml/src/gguf.cpp line 724, function gguf_init_from_file_ptr() Severity: High (CVSS 7.8) Affected: ggml-org/llama.cpp (all versions with GGML_PAD in GGUF parser)

Root Cause

The GGML_PAD(x, n) macro computes ((x) + (n) - 1) & ~((n) - 1). When ggml_nbytes() returns SIZE_MAX - 3 (from a crafted F32 tensor with ne[0] = SIZE_MAX/4 = 4611686018427387903), the addition overflows:

GGML_PAD(SIZE_MAX - 3, 32):
  (SIZE_MAX - 3) + 31 = SIZE_MAX + 28  -> wraps to 27
  27 & ~31 = 0
  padded_size = 0  (OVERFLOW!)

This bypasses the existing SIZE_MAX - ctx->size < padded_size check (because 0 < anything is always false), causing an undersized allocation and OOB tensor data pointers.

Distinct from Known CVEs

  • CVE-2025-53630: overflow in ctx->size += padded_size accumulation
  • CVE-2026-27940: overflow in overhead + ctx->size calculation
  • CVE-2026-33298: overflow inside ggml_nbytes() function

This finding is in GGML_PAD itself, BETWEEN ggml_nbytes and the accumulation.

Files

  • ggml_pad_overflow.gguf - 256-byte crafted GGUF file (load to trigger)
  • create_poc.py - PoC generator with mathematical verification
  • poc_standalone.c - Standalone C program proving the overflow math
  • harness_v3.cpp - ASAN test harness (confirms heap-buffer-overflow)

ASAN Output

==210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51a000000670
READ of size 1 at 0x51a000000670 thread T0
0x51a000000670 is located 288 bytes to the right of 1232-byte region
[0x51a000000080,0x51a000000550)

Reproduction

python3 create_poc.py          # generates ggml_pad_overflow.gguf
gcc -g poc_standalone.c -o poc  # standalone math verification
./poc                           # confirms GGML_PAD overflow to 0

Suggested Fix

Check for GGML_PAD overflow before computing padded size:

if (tensor_nbytes > SIZE_MAX - (ctx->alignment - 1)) {
    // reject: GGML_PAD would overflow
}

Responsible Disclosure

This PoC is for responsible disclosure via huntr.com. License: MIT Researcher: neimasilk

Downloads last month
13
GGUF
Model size
4611686T params
Architecture
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support