CVE-2024-42478
Published: 12 August 2024
Summary
CVE-2024-42478 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Ggml Llama.Cpp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 34.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: AML.T0022, Obtain Capabilities (AML.T0016).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39638
Vulnerability details
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address reading. This vulnerability is fixed in b3561.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- llama.cpp is a C/C++ inference engine specifically for large language models (LLMs), which are transformer-based architectures central to NLP tasks.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unsafe data pointer enables arbitrary memory read from the llama.cpp process, facilitating collection of data from local system process memory (T1005) and exploitation to access credentials if stored in memory (T1212).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.