#1128477 llama.cpp: CVE-2026-2069

Package:
src:llama.cpp
Source:
src:llama.cpp
Submitter:
Salvatore Bonaccorso
Date:
2026-02-20 16:59:01 UTC
Severity:
normal
Tags:
#1128477#5
Date:
2026-02-20 07:58:30 UTC
From:
To:
Hi,

The following vulnerability was published for llama.cpp.

CVE-2026-2069[0]:
| A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted
| is the function llama_grammar_advance_stack of the file
| llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar
| Handler. This manipulation causes stack-based buffer overflow. The
| attack needs to be launched locally. The exploit has been published
| and may be used. Patch name: 18993. To fix this issue, it is
| recommended to deploy a patch.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-2069
https://www.cve.org/CVERecord?id=CVE-2026-2069
[1] https://github.com/ggml-org/llama.cpp/issues/18988
[2] https://github.com/ggml-org/llama.cpp/pull/18993

Regards,
Salvatore

#1128477#10
Date:
2026-02-20 16:56:37 UTC
From:
To:
I'm monitoring this, and will push an update once a fix has been released.

From the way it looks now, this will not need a new ggml release.

Best,
Christian