Bug 2447033 (CVE-2026-27940)

Summary: CVE-2026-27940 llama.cpp: heap-based buffer overflow via integer overflow in mem_size calculation (bypass of CVE-2025-53630 fix)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in llama.cpp. A integer overflow can occur in the gguf_init_from_file_impl function in the gguf.cpp file, leading to an undersized heap allocation. A subsequent fread function call can write 528+ bytes of attacker controlled data past the buffer boundary. This issue is a bypass of CVE-2025-53630.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2448112    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-12 17:01:56 UTC
llama.cpp is an inference of several LLM models in C/C++. Prior to b8146, the gguf_init_from_file_impl() in gguf.cpp is vulnerable to an Integer overflow, leading to an undersized heap allocation. Using the subsequent fread() writes 528+ bytes of attacker-controlled data past the buffer boundary. This is a bypass of a similar bug in the same file - CVE-2025-53630, but the fix overlooked some areas. This vulnerability is fixed in b8146.