GGML GGUF File Format Vulnerabilities
Summary
Databricks' GGML GGUF file format vulnerabilities blog details multiple heap overflow CVEs discovered in the GGML GGUF loader, triggered by insufficient input validation and unbounded data, enabling potential remote code execution via crafted gguf files. The post documents five CVEs, outlines how unvalidated counts, string lengths, and array indices can cause memory corruption, notes patches merged into the GGML repository, and highlights collaboration with GGML.ai to improve security. It serves as a warning for teams deploying GGUF-based models (e.g., Llama-2) and stresses applying patched releases and validation fixes.