PulseAugur
EN
LIVE 09:01:04

llama.cpp b9917 fixes critical tokenizer vulnerabilities

The llama.cpp project released version b9917, addressing critical security vulnerabilities in its UGM tokenizer. Specifically, the update fixes out-of-bounds reads that could be triggered by malicious T5/UGM GGUF files. These fixes involve validating the minimum size of data blobs and replacing unsafe string functions with bounds-checked alternatives to prevent heap-buffer overflows. AI

IMPACT Enhances the security of local LLM inference tools by patching vulnerabilities in tokenizer handling.

RANK_REASON This is a software maintenance release for an open-source project, addressing security vulnerabilities.

Read on llama.cpp — Releases →

AI-generated summary · Google Gemini · from 1 sources. How we write summaries →

llama.cpp b9917 fixes critical tokenizer vulnerabilities

COVERAGE [1]

  1. llama.cpp — Releases TIER_1 English(EN) · hourhl ·

    b9917: fix: OOB reads in UGM tokenizer (precompiled_charsmap handling) (#18750)

    <ul> <li>fix: OOB reads in UGM tokenizer (precompiled_charsmap handling)</li> </ul> <ul> <li>Validate minimum size (4 bytes) before reading xcda_blob_size</li> <li>Use strnlen with bounds check instead of unsafe strlen</li> </ul> <p>Both issues allow heap-buffer-overflow from mal…