CVE-2025-49847 is a high-severity vulnerability affecting versions of the open-source project llama.cpp prior to b5662. llama.cpp is a C/C++ implementation used for inference of large language models (LLMs), relying on GGUF model vocabularies. The vulnerability arises from improper bounds checking in the vocabulary-loading code, specifically within the helper function _try_copy located in llama.cpp/src/vocab.cpp in the method llama_vocab::impl::token_to_piece(). The core issue is that a token length, originally a size_t type, is cast to a signed 32-bit integer (int32_t) without adequate validation. This cast allows an attacker-supplied GGUF model vocabulary with an excessively large token length to bypass the length check (if (length < (int32_t)size)) because the casted length may wrap or become negative, causing the condition to incorrectly evaluate as true. Consequently, memcpy is called with this oversized length, leading to a buffer overflow. This overflow can overwrite memory beyond the intended buffer, resulting in arbitrary memory corruption. The implications include potential arbitrary code execution, compromising confidentiality, integrity, and availability of the host system. The vulnerability requires no privileges (PR:N) but does require user interaction (UI:R), meaning an attacker must convince a user to load a malicious GGUF model. The attack vector is network-based (AV:N), and the scope is unchanged (S:U). The vulnerability has a CVSS 3.1 base score of 8.8, reflecting high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and the issue has been patched in version b5662 of llama.cpp. The vulnerability is categorized under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-195 (Signed to Unsigned Conversion Error).

European organizations utilizing llama.cpp for LLM inference, particularly those integrating GGUF model vocabularies from external or untrusted sources, face significant risks. Exploitation can lead to arbitrary code execution, enabling attackers to execute malicious payloads, escalate privileges, or disrupt services. This can compromise sensitive data processed by LLMs, including intellectual property, personal data, or confidential communications, violating GDPR and other data protection regulations. The vulnerability's network attack vector and requirement for user interaction mean phishing or social engineering could be used to deliver malicious models. Sectors heavily relying on AI and LLMs, such as finance, healthcare, research institutions, and technology companies, are particularly vulnerable. Disruption or compromise of AI inference infrastructure could lead to operational downtime, reputational damage, and regulatory penalties. Given the growing adoption of LLMs in Europe, the threat surface is expanding, especially in organizations deploying custom or third-party GGUF models without strict validation.

1. Immediate upgrade to llama.cpp version b5662 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of all GGUF model vocabularies before loading, including verifying token lengths and rejecting suspiciously large or malformed tokens. 3. Restrict model loading to trusted sources only; avoid loading models from unverified third parties or unknown origins. 4. Employ runtime memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate exploitation impact. 5. Monitor and log all model loading activities to detect anomalous or unexpected model files. 6. Educate users on the risks of loading untrusted models and enforce policies to prevent unauthorized model usage. 7. For organizations embedding llama.cpp in larger systems, conduct thorough code audits and fuzz testing focused on vocabulary processing components. 8. Consider sandboxing the inference environment to contain potential exploitation effects. 9. Maintain up-to-date threat intelligence feeds to detect emerging exploitation attempts.