CVE-2024-42477
Published: 12 August 2024
Summary
CVE-2024-42477 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Ggml Llama.Cpp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked in the top 49.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: AML.T0022, Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39637
Vulnerability details
llama.cpp provides LLM inference in C/C++. The unsafe `type` member in the `rpc_tensor` structure can cause `global-buffer-overflow`. This vulnerability may lead to memory data leakage. The vulnerability is fixed in b3561.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- llama.cpp is a C/C++ library specifically for LLM inference, and LLMs are based on transformer architectures used in NLP tasks.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The global-buffer-overflow vulnerability in the rpc_tensor structure enables memory data leakage, which adversaries can exploit to perform OS Credential Dumping (T1003) or more generally steal credentials from process memory.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.