CVE-2026-33298 is a heap-based buffer overflow vulnerability identified in the llama.cpp project by ggml-org, which provides C/C++ inference implementations for large language models (LLMs). The root cause is an integer overflow in the ggml_nbytes function responsible for calculating the memory size required for tensor data structures. When processing a specially crafted GGUF file containing tensor dimensions designed to trigger the overflow, ggml_nbytes returns a significantly smaller size than actually needed (for example, reporting 4MB instead of an exabyte-scale size). This miscalculation causes the application to allocate insufficient memory, leading to a heap buffer overflow when the tensor data is subsequently processed. The overflow can corrupt memory, potentially allowing an attacker to execute arbitrary code remotely. The vulnerability requires the attacker to supply a malicious GGUF file and for the victim to process it, implying user interaction and local vector. No privileges are required to trigger the flaw. The vulnerability is tracked under CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow). The issue was fixed in commit b7824. The CVSS v3.1 base score is 7.8, reflecting high severity with attack vector local, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. No public exploits have been reported so far.

This vulnerability poses a significant risk to organizations deploying llama.cpp for LLM inference, especially those processing untrusted GGUF files. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary code with the privileges of the affected application. This can result in data breaches, system compromise, lateral movement within networks, and disruption of AI services. Given the increasing adoption of LLMs in various sectors including technology, research, and enterprise AI solutions, the impact can be widespread. Systems running vulnerable versions may be targeted to gain footholds or disrupt AI-driven workflows. The requirement for user interaction and local access somewhat limits remote exploitation but does not eliminate risk, particularly in environments where users process third-party or untrusted model files. The absence of known exploits in the wild provides a window for mitigation before active attacks emerge.

Organizations should immediately update llama.cpp to version b7824 or later, which contains the patch fixing the integer overflow and buffer overflow issues. Until updates can be applied, implement strict validation and sanitization of GGUF files before processing, including verifying tensor dimensions and file integrity to prevent malformed inputs. Restrict access to systems running llama.cpp to trusted users and environments to reduce the risk of malicious file processing. Employ runtime protections such as memory safety tools (e.g., ASLR, DEP) and sandboxing to limit the impact of potential exploitation. Monitor logs and system behavior for anomalies indicative of exploitation attempts. Educate users about the risks of processing untrusted model files and enforce policies to avoid loading models from unverified sources. Regularly review and apply security advisories from ggml-org and related communities.