CVE-2026-34159

CRITICAL

llama.cpp: Unauthenticated RCE via GRAPH_COMPUTE buffer=0 bypass in llama.cpp RPC backend

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-34159. PoCs published by XZ1r0, rohithronanki, casp3r0x0.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-34159, targeting a vulnerability in the llama.cpp RPC server (version b8487). The exploit leverages a null-buffer bypass to achieve arbitrary read/write primitives, leading to a memory-only reverse shell via system() function hijacking.

Description

llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0. An unauthenticated attacker can read and write arbitrary process memory via crafted GRAPH_COMPUTE messages. Combined with pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE, this gives full ASLR bypass and remote code execution. No authentication required, just TCP access to the RPC server port. This issue has been patched in version b8492.

Exploits (3)

github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-34159

This repository contains a functional exploit for CVE-2026-34159, targeting a vulnerability in the llama.cpp RPC server (version b8487). The exploit leverages a null-buffer bypass to achieve arbitrary read/write primitives, leading to a memory-only reverse shell via system() function hijacking.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: llama.cpp RPC server b8487
No auth needed
Prerequisites: Network access to vulnerable llama.cpp RPC server · Python 3 environment
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WRITEUP
by rohithronanki · poc
https://github.com/rohithronanki/CVE-2026-34159-Vulnerability-Research-Analysis-Detection

The repository provides a technical analysis of CVE-2026-34159, detailing a buffer validation bypass in deserialize_tensor() in llama.cpp versions prior to b8492. It includes exploit chain details, Wireshark PCAPs, detection signatures, and lab reproduction steps, but no functional exploit code is present.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Complex
Reliability
Theoretical
Target: llama.cpp < b8492
No auth needed
Prerequisites: Network access to TCP port 50052 · Vulnerable version of llama.cpp
devstral-2 · analyzed May 04, 2026 Full analysis →
nomisec WORKING POC
by casp3r0x0 · poc
https://github.com/casp3r0x0/CVE-2026-34159

This repository contains a functional exploit for CVE-2026-34159, targeting a 0-click RCE vulnerability in the llama.cpp RPC server version b8487. The exploit leverages a null-buffer bypass to achieve arbitrary read/write primitives, ultimately leading to a memory-only reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: llama.cpp RPC Server b8487
No auth needed
Prerequisites: Network access to the vulnerable RPC server · Knowledge of the target's architecture and libc version
devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0042
EPSS Percentile 62.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-119
Status published
Products (2)
ggml/llama.cpp < b8492
ggml-org/llama.cpp < b8492
Published Apr 01, 2026
Tracked Since Apr 01, 2026