The GGML library contains memory corruption vulnerabilities during parsing of GGUF files, which can be exploited by an attacker to execute code on a victim's computer. Multiple vulnerabilities exist, including unchecked kv count, unchecked tensor count, and heap overflows. Databricks worked with the GGML.ai team to address these vulnerabilities in the library.
Table of contents
TimelineCVE-2024-25664 Heap Overflow #1: Unchecked KV CountCVE-2024-25665 Heap Overflow #2: Reading string typesCVE-2024-25666 Heap Overflow #3: Tensor count uncheckedCVE-2024-25667 Heap Overflow #4: User-supplied Array ElementsCVE-2024-25668 Heap Overflow #5: Unpacking kv string type arraysConclusionSort: