CVE-2024-23605: 
Homebrew vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability exists in the GGUF library header.n_kv functionality of llama.cpp Commit 18c2e17. The vulnerability, identified as CVE-2024-23605, was discovered in January 2024 and affects the LLaMA.cpp project, which is a C/C++ implementation for running Large Language Models (LLMs) (Talos Report).

The vulnerability occurs in the GGUF file format parsing functionality. The issue stems from an integer overflow in the multiplication between ctx->header.n_kv (an arbitrary uint64_t value) and sizeof(struct gguf_kv) (48 bytes), resulting in insufficient memory allocation. This can lead to a heap-based buffer overflow when writing the pointer to a string in kv->key. The vulnerability has been assigned a CVSSv3 score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-190 (Integer Overflow or Wraparound) (Talos Report).

The exploitation of this vulnerability could lead to code execution on the targeted machine. An attacker can trigger this vulnerability by providing a specially crafted .gguf file, which is commonly used to store language models for inference (Talos Report).

The vulnerability has been fixed in a vendor patch released on January 29, 2024. Users are advised to update to the latest version of llama.cpp that includes the security fix (Talos Report).

The vulnerability was independently reported by Databricks concurrently with Cisco Talos's discovery. The fix was promptly released by the vendor, demonstrating a quick response to the security issue (Talos Report).