Cyber Resilience

CVE-2026-21869

HighPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0044 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21869 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Ggml Llama.Cpp. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-21869 is a memory corruption vulnerability in llama.cpp, a C/C++ inference engine for large language models (LLMs). In commits up to 55d4206c8, the server's completion endpoints parse the n_discard parameter directly from JSON input without validating that it is non-negative. Supplying a negative value, combined with a full context, results in a reversed range and negative offset passed to llama_memory_seq_rm/add functions, triggering out-of-bounds memory writes during the token evaluation loop. This issue is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability by sending crafted JSON requests to the llama.cpp server's completion endpoints, requiring minimal user interaction such as submitting the malicious input. No authentication or privileges are needed, making it accessible over the network with low complexity. Successful exploitation leads to deterministic memory corruption, which can crash the server process or potentially enable remote code execution (RCE) by overwriting critical memory regions.

The GitHub Security Advisory (GHSA-8947-pfff-2f3c) details the issue but notes there is no fix available at the time of publication on January 8, 2026. Security practitioners should monitor the llama.cpp repository for patches, avoid exposing the server publicly, and validate all JSON inputs server-side until remediation is released.

This vulnerability is particularly relevant to AI/ML deployments, as llama.cpp is widely used for efficient LLM inference, potentially exposing model serving infrastructure to compromise. No real-world exploitation has been reported in available data.

EU & UK References

Vulnerability details

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value…

more

is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llama.cpp, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing llama.cpp server endpoints allows unauthenticated remote exploitation via crafted JSON requests, enabling memory corruption and potential RCE, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34159Same product: Ggml Llama.Cpp
CVE-2026-33298Same product: Ggml Llama.Cpp
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787

Affected Assets

ggml
llama.cpp
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of JSON inputs such as the n_discard parameter to ensure non-negative values, preventing the reversed range and out-of-bounds memory writes.

prevent

Implements memory safeguards like address space randomization and non-executable stacks to protect against exploitation of the out-of-bounds writes leading to RCE.

preventrecover

Mandates monitoring the llama.cpp repository for flaw remediation patches and timely installation to address the unpatched memory corruption vulnerability.

References