Bug#1109124: llama.cpp: CVE-2025-53630

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1109124: llama.cpp: CVE-2025-53630
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 11 Jul 2025 21:19:52 +0200
Message-id: <[🔎] 175226159297.1112526.11785336870316651117.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1109124@bugs.debian.org

Source: llama.cpp
Version: 5760+dfsg-4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for llama.cpp.

CVE-2025-53630[0]:
| llama.cpp is an inference of several LLM models in C/C++. Integer
| Overflow in the gguf_init_from_file_impl function in
| ggml/src/gguf.cpp can lead to Heap Out-of-Bounds Read/Write. This
| vulnerability is fixed in commit
| 26a48ad699d50b6268900062661bd22f3e792579.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-53630
    https://www.cve.org/CVERecord?id=CVE-2025-53630
[1] https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-vgg9-87g3-85w8
[2] https://github.com/ggml-org/llama.cpp/commit/26a48ad699d50b6268900062661bd22f3e792579

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1109124: marked as done (llama.cpp: CVE-2025-53630)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1109124: llama.cpp: CVE-2025-53630
  - From: Christian Kastner <ckk@kvr.at>

Prev by Date: Re: Needing branches for releases ?
Next by Date: Processed: Re-assign to src:ggml
Previous by thread: Processing of hipfft_6.4.1-1~exp2_source.changes
Next by thread: Bug#1109124: marked as done (llama.cpp: CVE-2025-53630)
Index(es):
- Date
- Thread