GGUF Tensor Offset Integer Overflow PoC
Security Research Only โ Do NOT use this model for inference
Vulnerability
- Package:
gguf(PyPI, part of llama.cpp) - File:
gguf_reader.py, line 333 - Code:
data_offs = int(start_offs + offset_tensor[0]) - CVE: Pending (reported to Huntr)
Description
offset_tensor[0] is read as numpy.uint64 directly from the GGUF file.
When set to UINT64_MAX (0xFFFFFFFFFFFFFFFF), the addition overflows numpy's
uint64 arithmetic (wraps mod 2^64), causing the tensor to be silently loaded
from the wrong file offset.
Reproduction
import warnings
from gguf import GGUFReader
with warnings.catch_warnings(record=True) as w:
warnings.simplefilter("always")
reader = GGUFReader("evil.gguf")
for warning in w:
if "overflow" in str(warning.message).lower():
print(f"CONFIRMED: {warning.message}")
print(f"at: {warning.filename}:{warning.lineno}")
Expected output:
CONFIRMED: overflow encountered in scalar add
at: .../gguf/gguf_reader.py:333
Existing CVEs (C/C++ only, NOT Python)
- GHSA-96jg-mvhq-q7q7 โ ggml/src/gguf.cpp (C++)
- GHSA-vgg9-87g3-85w8 โ ggml/src/gguf.cpp (C++)
This Python-layer integer overflow is not covered by existing CVEs.
Uploaded by kevintsai1202 for responsible disclosure via Huntr.
- Downloads last month
- 42
Hardware compatibility
Log In to add your hardware
We're not able to determine the quantization variants.
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support