CVE-2024-21802: 
Homebrew vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in the GGUF library info->ne functionality of llama.cpp Commit 18c2e17. The vulnerability, identified as CVE-2024-21802, was discovered and reported by Francesco Benvenuto of Cisco Talos. The issue was disclosed on February 26, 2024, and affects the llama.cpp implementation, which is used for running LLaMA models (Talos Report).

The vulnerability exists in the GGUF file parsing functionality, specifically in the gguf_init_from_file function. The issue occurs when processing tensor information where the info->n_dims (an arbitrary uint32_t value) is used to control a loop that writes to the info->ne array, which has a fixed size of GGML_MAX_DIMS (4). This mismatch can lead to a heap-based buffer overflow. The vulnerability has been assigned a CVSSv3 score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is categorized as CWE-122 (Heap-based Buffer Overflow) (Talos Report).

When successfully exploited, this vulnerability can lead to code execution on the target system. The high CVSS score of 8.8 indicates severe potential impacts on confidentiality, integrity, and availability of the affected system (Talos Report).

The vulnerability has been fixed, as confirmed by Cisco Talos. The issue was patched on January 29, 2024, the same day it was reported to the vendor. Users should update to a version newer than Commit 18c2e17 (Talos Report).

Databricks independently reported this vulnerability concurrently with Cisco Talos's discovery. The vendor promptly addressed the issue by releasing a patch on the same day it was reported (Talos Report).