CVE-2026-34159 is a severe memory corruption vulnerability classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) affecting the llama.cpp project by ggml-org, which implements inference for several large language models (LLMs) in C/C++. The vulnerability exists in the RPC backend's deserialize_tensor() function prior to version b8492, where bounds validation is entirely skipped if a tensor's buffer field is set to zero. This logic flaw permits an unauthenticated attacker to send specially crafted GRAPH_COMPUTE messages over TCP to the RPC server, enabling arbitrary read and write operations on the process memory. Furthermore, the attacker can leverage pointer leaks exposed via ALLOC_BUFFER and BUFFER_GET_BASE commands to bypass Address Space Layout Randomization (ASLR), a critical memory protection mechanism. This combination allows the attacker to execute arbitrary code remotely with no authentication or user interaction required. The vulnerability affects all versions before b8492 and is rated with a CVSS 3.1 score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the ease of exploitation and severity make it a significant threat. The issue has been addressed in version b8492 by adding proper bounds checking and validation in the deserialize_tensor() function.

The vulnerability enables unauthenticated remote attackers to execute arbitrary code on systems running vulnerable versions of llama.cpp, potentially leading to full system compromise. This can result in unauthorized data access, data manipulation, service disruption, and lateral movement within affected networks. Since llama.cpp is used for LLM inference, exploitation could allow attackers to manipulate AI model outputs or exfiltrate sensitive data processed by these models. The lack of authentication and requirement of only TCP access to the RPC port significantly broadens the attack surface, especially in environments where the RPC service is exposed to untrusted networks. Organizations relying on llama.cpp for AI workloads may face severe operational and reputational damage if exploited. The ability to bypass ASLR further increases the reliability of exploitation, making mitigation urgent.

1. Immediately upgrade all deployments of llama.cpp to version b8492 or later, which contains the patch for this vulnerability. 2. Restrict network access to the RPC server port by implementing strict firewall rules and network segmentation to limit exposure only to trusted hosts. 3. Employ network-level authentication or VPNs to protect RPC endpoints from unauthorized access. 4. Monitor network traffic for unusual GRAPH_COMPUTE messages or unexpected RPC activity that could indicate exploitation attempts. 5. Conduct regular code audits and fuzz testing on RPC deserialization routines to detect similar memory safety issues proactively. 6. If upgrading is not immediately possible, consider disabling or restricting the RPC backend functionality temporarily to reduce risk. 7. Implement runtime protections such as AddressSanitizer or Control Flow Integrity (CFI) where feasible to detect exploitation attempts. 8. Maintain up-to-date intrusion detection and prevention systems tuned to detect anomalous memory manipulation patterns.