@blamejs/exceptd-skills 0.13.82 → 0.13.84

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.035,
+      "current_rate": 0.034,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -11821,6 +11821,532 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "NVIDIA Container Toolkit loads code via an untrusted search path in its init hooks (CWE-426), letting a crafted container escape to the host with elevated permissions (NVIDIAScape). Affects Container Toolkit <= 1.17.7 (fixed 1.17.8) and GPU Operator <= 25.3.0 (fixed 25.3.1)."
   },
+  "CVE-2025-1550": {
+    "name": "Keras .keras Model Deserialization Arbitrary Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). Arbitrary code execution at model-load time via unrestricted importlib use in the .keras format parser — no Lambda layer or custom object required, and loading (not calling) the model triggers it.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit / research exists (Huntr writeups; Exploit-DB EDB-52359 for the Keras model RCE): a crafted .keras model archive executes code when loaded.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Keras security advisories / Huntr. The abused surface is the ML model file format — the canonical AI supply-chain risk where an untrusted model artifact is executable code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Keras 3.0.0 through 3.7.x (fixed in 3.8.0, which introduced the safe_mode mitigation).",
+    "affected_versions": [
+      "Keras >= 3.0.0, < 3.8.0"
+    ],
+    "vector": "Keras's .keras model-format parser uses importlib.import_module on names taken from the model archive, so a crafted .keras file executes arbitrary Python modules/functions when the model is loaded (CWE-94) — without Lambda layers or custom objects, at parse time. An attacker who can get a victim to load an untrusted model achieves code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. AV:N — loading the model (not calling it) triggers execution.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Keras to 3.8.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Keras to 3.8.0 or later and never load .keras models from untrusted sources. Note safe_mode alone is insufficient (see CVE-2025-8747)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track ML frameworks' model-loading paths as managed, RCE-bearing software, nor that a first fix (safe_mode) was bypassable.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to ML model artifacts, which are treated as data despite being executable at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-deserialization path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out ML frameworks' model-loading paths.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE, and safe_mode proved necessary-but-insufficient."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Keras/TensorFlow are among the most widely used ML frameworks) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-1550",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python module imports or subprocess execution occurring during keras.models.load_model / Model.load_model of an externally sourced .keras file.",
+        "A .keras archive whose config references importlib targets or built-in module arguments that resolve to code execution.",
+        "Loading model artifacts pulled from a model hub or user upload without provenance verification.",
+        "Keras at an affected version (Keras >= 3.0.0, < 3.8.0) loading untrusted models — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the primary public exploit for CVE-2025-1550 — Exploit-DB EDB-52359 (https://www.exploit-db.com/exploits/52359) and the PoC write-up at https://github.com/io-no/CVE-Reports/issues/2 — plus the Huntr technical analysis (https://blog.huntr.com/inside-cve-2025-1550-remote-code-execution-via-keras-models) and NVD CVE-2025-1550 (CWE-94). The importlib-driven load-time execution is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+      "https://github.com/keras-team/keras/security/advisories",
+      "https://www.exploit-db.com/exploits/52359",
+      "https://github.com/io-no/CVE-Reports/issues/2"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-1550",
+        "url": "https://github.com/keras-team/keras/security/advisories",
+        "severity": "critical",
+        "published_date": "2025-03-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-1550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "severity": "critical",
+        "published_date": "2025-03-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; NIST CVSS 9.8) + the Keras security advisory / Huntr research. Member of the ML model-deserialization family — untrusted model artifact equals executable code; CVE-2025-8747 shows the first fix was bypassable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Keras's .keras model parser runs arbitrary Python via importlib at load time (CWE-94), so loading an untrusted model is RCE; fixed in 3.8.0 (added safe_mode)."
+  },
+  "CVE-2025-8747": {
+    "name": "Keras safe_mode Bypass Model Deserialization Code Execution",
+    "type": "RCE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.8 (HIGH). A bypass of the safe_mode mitigation introduced for CVE-2025-1550: even with safe_mode enabled, a crafted .keras archive passed to Model.load_model can execute code by abusing arguments to built-in Keras modules (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit / research exists (Huntr writeups; Exploit-DB EDB-52359 for the Keras model RCE): a crafted .keras model archive executes code when loaded, bypassing the safe_mode mitigation.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Keras security advisories / Huntr. The abused surface is the ML model file format — the canonical AI supply-chain risk where an untrusted model artifact is executable code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Keras 3.0.0 through 3.10.0 (the safe_mode mitigation from 3.8.0 is bypassable through 3.10.0).",
+    "affected_versions": [
+      "Keras >= 3.0.0, <= 3.10.0"
+    ],
+    "vector": "The safe_mode mitigation added for CVE-2025-1550 is incomplete: Model.load_model still deserializes untrusted .keras archives in a way that lets crafted arguments to built-in Keras modules execute code (CWE-502), even when safe_mode is enabled. Loading an untrusted model is therefore still RCE.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. AV:L / UI:R — requires a victim to load the crafted model.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Keras past 3.10.0 to the release that fixes the safe_mode bypass; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Keras past 3.10.0 (to the release that fixes the safe_mode bypass) and treat safe_mode as necessary-but-insufficient: never load .keras models from untrusted sources."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track ML frameworks' model-loading paths as managed, RCE-bearing software, nor that a first fix (safe_mode) was bypassable.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to ML model artifacts, which are treated as data despite being executable at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-deserialization path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out ML frameworks' model-loading paths.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE, and safe_mode proved necessary-but-insufficient."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Keras/TensorFlow are among the most widely used ML frameworks) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-8747",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python module imports or subprocess execution occurring during keras.models.load_model / Model.load_model of an externally sourced .keras file.",
+        "A .keras archive whose config references importlib targets or built-in module arguments that resolve to code execution.",
+        "Loading model artifacts pulled from a model hub or user upload without provenance verification.",
+        "Keras at an affected version (Keras >= 3.0.0, <= 3.10.0) loading untrusted models — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the primary advisory for the CVE-2025-8747 safe_mode bypass — GitHub Security Advisory GHSA-c9rc-mg46-23w3 (https://github.com/advisories/GHSA-c9rc-mg46-23w3), which documents the bypass technique and PoC — plus NVD CVE-2025-8747 (CWE-502) and the Huntr Keras-deserialization research (https://blog.huntr.com/hunting-vulnerabilities-in-keras-model-deserialization). The safe_mode-enabled Model.load_model code execution via built-in module arguments is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-8747",
+      "https://github.com/advisories/GHSA-c9rc-mg46-23w3"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-8747",
+        "url": "https://github.com/advisories/GHSA-c9rc-mg46-23w3",
+        "severity": "high",
+        "published_date": "2025-08-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-8747",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8747",
+        "severity": "high",
+        "published_date": "2025-08-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 7.8) + the Keras security advisory / Huntr research. Member of the ML model-deserialization family — untrusted model artifact equals executable code; CVE-2025-8747 shows the first fix was bypassable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Keras safe_mode (added for CVE-2025-1550) is bypassable through 3.10.0: a crafted .keras archive executes code via built-in module arguments even with safe_mode on (CWE-502). The first fix was incomplete."
+  },
+  "CVE-2024-42479": {
+    "name": "llama.cpp RPC Backend SET_TENSOR Out-of-Bounds Write RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 9.8 (CRITICAL); GitHub scored it 10.0 (Scope:Changed). An unsafe data pointer in the rpc_tensor struct enables a write-what-where primitive (CWE-787/CWE-123).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (pwner.gg and retr0.blog walkthroughs of llama.cpp RPC RCE): an unauthenticated TCP client to the RPC server sends crafted rpc_tensor messages to read/write arbitrary memory and, chaining the primitives, execute code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via llama.cpp (ggml) GitHub security advisories and independent exploitation research. The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic memory-safety in the inference RPC backend, notable for the incomplete first fix.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "llama.cpp prior to build b3561.",
+    "affected_versions": [
+      "llama.cpp < b3561"
+    ],
+    "vector": "llama.cpp's RPC backend deserializes a rpc_tensor whose data pointer is attacker-controlled and unvalidated, so a SET_TENSOR message yields an arbitrary-address write (write-what-where, CWE-123). An unauthenticated attacker with TCP access to the RPC server (default port 50052) achieves remote code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated TCP access to the RPC server (default port 50052).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama.cpp to build b3561 or later; rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama.cpp to build b3561 or later. Never expose the RPC server (default port 50052) to untrusted networks; it has no authentication. Bind it to localhost or a trusted segment and run least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime's RPC backend as managed, RCE-bearing software, nor that the first fix left the GRAPH_COMPUTE path unpatched.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the inference RPC backend's tensor deserialization as a memory-safety surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the inference RPC backend as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated inference-RPC memory-corruption RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating deserialized tensor bounds in the inference RPC backend.",
+      "AU-ISM-1546": "Patch-application control does not single out the local-LLM runtime's RPC backend.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the inference RPC backend's deserialized tensors as untrusted input requiring bounds validation on every command path; per-command patching left GRAPH_COMPUTE exploitable."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (llama.cpp is the most widely used local LLM runtime) minus patch 15. Note: unauthenticated network reachability of the RPC server raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-42479",
+    "cwe_refs": [
+      "CWE-787",
+      "CWE-123"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Inbound TCP connections to the llama.cpp RPC server (default port 50052) from untrusted hosts.",
+        "RPC messages carrying rpc_tensor structures with a data pointer or buffer field that does not reference a server-allocated buffer (buffer=0 / out-of-range).",
+        "llama.cpp RPC worker crashes, anomalous memory access, or process spawning following GRAPH_COMPUTE / SET_TENSOR / GET_TENSOR traffic.",
+        "llama.cpp at an affected build (llama.cpp < b3561) with the RPC server reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the ggml/llama.cpp GitHub security advisory (https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj) and the public exploitation research (https://pwner.gg/blog/2024-10-03-llama-cpp-cves ; https://retr0.blog/blog/llama-rpc-rce), plus NVD CVE-2024-42479 (CWE-787/CWE-123). The unvalidated rpc_tensor data pointer / buffer=0 deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-42479",
+      "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
+      "https://pwner.gg/blog/2024-10-03-llama-cpp-cves"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-42479",
+        "url": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-42479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42479",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-787/CWE-123; NIST CVSS 9.8) + the ggml/llama.cpp GitHub security advisory + public exploitation research. Member of the llama.cpp RPC-backend memory-safety family; CVE-2026-34159 is the GRAPH_COMPUTE path the b3561 fix for CVE-2024-42478/42479 left unpatched.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "llama.cpp's RPC backend SET_TENSOR uses an unvalidated rpc_tensor data pointer, giving an unauthenticated attacker a write-what-where primitive and RCE; fixed in b3561."
+  },
+  "CVE-2024-42478": {
+    "name": "llama.cpp RPC Backend GET_TENSOR Out-of-Bounds Read",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 9.8 (CRITICAL). An unsafe data pointer in the rpc_tensor struct enables arbitrary-address reads (CWE-125), a primitive for pointer leaks / ASLR bypass that chains into the write-what-where RCE.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (pwner.gg and retr0.blog walkthroughs of llama.cpp RPC RCE): an unauthenticated TCP client to the RPC server sends crafted rpc_tensor messages to read/write arbitrary memory and, chaining the primitives, execute code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via llama.cpp (ggml) GitHub security advisories and independent exploitation research. The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic memory-safety in the inference RPC backend, notable for the incomplete first fix.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "llama.cpp prior to build b3561.",
+    "affected_versions": [
+      "llama.cpp < b3561"
+    ],
+    "vector": "llama.cpp's RPC backend deserializes a rpc_tensor whose data pointer is attacker-controlled and unvalidated, so a GET_TENSOR message yields an arbitrary-address read (CWE-125). An unauthenticated attacker with TCP access to the RPC server leaks memory (pointers, ASLR bypass), enabling reliable exploitation of the companion write primitive.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated TCP access to the RPC server (default port 50052).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama.cpp to build b3561 or later; rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama.cpp to build b3561 or later. Never expose the RPC server (default port 50052) to untrusted networks; it has no authentication. Bind it to localhost or a trusted segment and run least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime's RPC backend as managed, RCE-bearing software, nor that the first fix left the GRAPH_COMPUTE path unpatched.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the inference RPC backend's tensor deserialization as a memory-safety surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the inference RPC backend as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated inference-RPC memory-corruption RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating deserialized tensor bounds in the inference RPC backend.",
+      "AU-ISM-1546": "Patch-application control does not single out the local-LLM runtime's RPC backend.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the inference RPC backend's deserialized tensors as untrusted input requiring bounds validation on every command path; per-command patching left GRAPH_COMPUTE exploitable."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (llama.cpp is the most widely used local LLM runtime) minus patch 15. Note: unauthenticated network reachability of the RPC server raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-42478",
+    "cwe_refs": [
+      "CWE-125"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Inbound TCP connections to the llama.cpp RPC server (default port 50052) from untrusted hosts.",
+        "RPC messages carrying rpc_tensor structures with a data pointer or buffer field that does not reference a server-allocated buffer (buffer=0 / out-of-range).",
+        "llama.cpp RPC worker crashes, anomalous memory access, or process spawning following GRAPH_COMPUTE / SET_TENSOR / GET_TENSOR traffic.",
+        "llama.cpp at an affected build (llama.cpp < b3561) with the RPC server reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the ggml/llama.cpp GitHub security advisory (https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9) and the public exploitation research (https://pwner.gg/blog/2024-10-03-llama-cpp-cves ; https://retr0.blog/blog/llama-rpc-rce), plus NVD CVE-2024-42478 (CWE-125). The unvalidated rpc_tensor data pointer / buffer=0 deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-42478",
+      "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9",
+      "https://pwner.gg/blog/2024-10-03-llama-cpp-cves"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-42478",
+        "url": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-42478",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42478",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-125; NIST CVSS 9.8) + the ggml/llama.cpp GitHub security advisory + public exploitation research. Member of the llama.cpp RPC-backend memory-safety family; CVE-2026-34159 is the GRAPH_COMPUTE path the b3561 fix for CVE-2024-42478/42479 left unpatched.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "llama.cpp's RPC backend GET_TENSOR uses an unvalidated rpc_tensor data pointer, giving an unauthenticated attacker an arbitrary-address read (pointer leak / ASLR bypass); fixed in b3561."
+  },
+  "CVE-2026-34159": {
+    "name": "llama.cpp RPC Backend GRAPH_COMPUTE deserialize_tensor Bounds Bypass RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0 (CWE-119); the 2024 GET/SET_TENSOR fix (b3561) never covered the GRAPH_COMPUTE command path.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (pwner.gg and retr0.blog walkthroughs of llama.cpp RPC RCE): an unauthenticated TCP client to the RPC server sends crafted rpc_tensor messages to read/write arbitrary memory and, chaining the primitives, execute code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via llama.cpp (ggml) GitHub security advisories and independent exploitation research. The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic memory-safety in the inference RPC backend, notable for the incomplete first fix.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "llama.cpp prior to build b8492 (the GRAPH_COMPUTE path was not covered by the b3561 fix for CVE-2024-42478 / CVE-2024-42479).",
+    "affected_versions": [
+      "llama.cpp < b8492"
+    ],
+    "vector": "llama.cpp's RPC backend deserialize_tensor() skips bounds validation when a tensor's buffer field is 0 (CWE-119). Because the b3561 fix only hardened the GET_TENSOR / SET_TENSOR handlers, a malicious GRAPH_COMPUTE message still reaches the unvalidated path, giving an unauthenticated attacker arbitrary memory read/write, ASLR bypass, and remote code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated TCP access to the RPC server (default port 50052).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama.cpp to build b8492 or later; rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama.cpp to build b8492 or later. Never expose the RPC server (default port 50052) to untrusted networks; it has no authentication. Bind it to localhost or a trusted segment and run least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime's RPC backend as managed, RCE-bearing software, nor that the first fix left the GRAPH_COMPUTE path unpatched.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the inference RPC backend's tensor deserialization as a memory-safety surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the inference RPC backend as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated inference-RPC memory-corruption RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating deserialized tensor bounds in the inference RPC backend.",
+      "AU-ISM-1546": "Patch-application control does not single out the local-LLM runtime's RPC backend.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the inference RPC backend's deserialized tensors as untrusted input requiring bounds validation on every command path; per-command patching left GRAPH_COMPUTE exploitable."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (llama.cpp is the most widely used local LLM runtime) minus patch 15. Note: unauthenticated network reachability of the RPC server raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-34159",
+    "cwe_refs": [
+      "CWE-119"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Inbound TCP connections to the llama.cpp RPC server (default port 50052) from untrusted hosts.",
+        "RPC messages carrying rpc_tensor structures with a data pointer or buffer field that does not reference a server-allocated buffer (buffer=0 / out-of-range).",
+        "llama.cpp RPC worker crashes, anomalous memory access, or process spawning following GRAPH_COMPUTE / SET_TENSOR / GET_TENSOR traffic.",
+        "llama.cpp at an affected build (llama.cpp < b8492) with the RPC server reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the ggml/llama.cpp GitHub security advisory (https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw) and the public exploitation research (https://pwner.gg/blog/2024-10-03-llama-cpp-cves ; https://retr0.blog/blog/llama-rpc-rce), plus NVD CVE-2026-34159 (CWE-119). The unvalidated rpc_tensor data pointer / buffer=0 deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-34159",
+      "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw",
+      "https://pwner.gg/blog/2024-10-03-llama-cpp-cves"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-34159",
+        "url": "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw",
+        "severity": "critical",
+        "published_date": "2026-04-01"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-34159",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34159",
+        "severity": "critical",
+        "published_date": "2026-04-01"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-119; NIST CVSS 9.8) + the ggml/llama.cpp GitHub security advisory + public exploitation research. Member of the llama.cpp RPC-backend memory-safety family; CVE-2026-34159 is the GRAPH_COMPUTE path the b3561 fix for CVE-2024-42478/42479 left unpatched.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "llama.cpp's RPC backend deserialize_tensor() still skips bounds checks via GRAPH_COMPUTE (buffer=0) — the GRAPH_COMPUTE path the b3561 fix missed — giving unauthenticated RCE; fixed in b8492."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -369,6 +369,7 @@
       "CVE-2022-48503",
       "CVE-2024-56145",
       "CVE-2025-11837",
+      "CVE-2025-1550",
       "CVE-2025-32432",
       "CVE-2025-37164",
       "CVE-2025-43200",
@@ -420,6 +421,7 @@
       "hardening"
     ],
     "evidence_cves": [
+      "CVE-2024-42479",
       "CVE-2026-43284"
     ],
     "framework_controls_partially_addressing": [
@@ -452,6 +454,7 @@
     ],
     "evidence_cves": [
       "CVE-2023-36424",
+      "CVE-2024-42478",
       "CVE-2025-48633",
       "CVE-2025-5419",
       "CVE-2025-5777",
@@ -1317,6 +1320,7 @@
       "CVE-2025-59287",
       "CVE-2025-60455",
       "CVE-2025-68664",
+      "CVE-2025-8747",
       "CVE-2026-20131",
       "CVE-2026-20963"
     ],
@@ -1587,6 +1591,7 @@
       "CVE-2023-3519",
       "CVE-2024-21762",
       "CVE-2024-37079",
+      "CVE-2024-42479",
       "CVE-2025-14174",
       "CVE-2025-14733",
       "CVE-2025-21042",
@@ -2253,6 +2258,7 @@
       "CVE-2025-6965",
       "CVE-2025-7775",
       "CVE-2026-20700",
+      "CVE-2026-34159",
       "CVE-2026-3910"
     ],
     "last_verified": "2026-05-18",