Vulnerability DatabaseCVE-2024-23496

CVE-2024-23496:
Homebrew vulnerability analysis and mitigation

Overview

A heap-based buffer overflow vulnerability (CVE-2024-23496) exists in the GGUF library gguf_fread_str functionality of llama.cpp Commit 18c2e17. The vulnerability was discovered in January 2024 and affects the LLaMA.cpp project, which is a C/C++ implementation for running Large Language Models (LLMs) (Talos Report).

Technical details

The vulnerability occurs in the gguf_fread_str function where an integer overflow can happen during the p->n + 1 calculation when allocating memory space. This overflow results in allocating a smaller space than necessary, leading to a heap-based buffer overflow when the buffer is filled with data from the file. The vulnerability has been assigned a CVSSv3 score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-190 (Integer Overflow or Wraparound) (Talos Report).

Impact

The successful exploitation of this vulnerability could lead to code execution on the targeted machine. The vulnerability affects the processing of .gguf files, which are commonly used to store language models for inference (Talos Blog).

Mitigation and workarounds

The vulnerability has been fixed, as confirmed by Talos, though no specific vendor response was received. Databricks independently reported this vulnerability concurrently with Talos's discovery (Talos Report).

Additional resources

Source: This report was generated using AI

Related Homebrew vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22861	HIGH	8.8	Homebrew	iccdev	No	Yes	Jan 13, 2026
CVE-2026-22776	HIGH	8.7	Homebrew	cpp-httplib	No	Yes	Jan 12, 2026
CVE-2026-22783	HIGH	8.1	NixOS	iris	No	Yes	Jan 12, 2026
CVE-2026-21283	HIGH	7.8	Adobe Bridge	bridge	No	Yes	Jan 13, 2026
CVE-2026-22784	LOW	2.3	NixOS	lychee	No	Yes	Jan 12, 2026