@blamejs/exceptd-skills 0.13.83 → 0.13.85

package/data/atlas-ttps.json

@@ -143,6 +143,7 @@
     "maturity": "high",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2023-43654",
       "CVE-2025-1550",
       "CVE-2025-8747",
       "CVE-2026-22778",
@@ -1701,9 +1702,13 @@
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2025-64496",
-      "CVE-2026-0766"
+      "CVE-2026-0766",
+      "CVE-2026-34159"
     ]
   },
   "AML.T0050": {
@@ -2790,6 +2795,7 @@
     "stix_id": "attack-pattern--a5cc5062-f672-510a-8a4f-a8d1aa7f5024",
     "is_subtechnique": true,
     "cve_refs": [
+      "CVE-2022-1471",
       "CVE-2025-1550",
       "CVE-2025-8747"
     ]

package/data/attack-techniques.json

@@ -269,7 +269,10 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -298,6 +301,7 @@
       "CVE-2026-30624",
       "CVE-2026-30625",
       "CVE-2026-32202",
+      "CVE-2026-34159",
       "CVE-2026-39884",
       "CVE-2026-39987",
       "CVE-2026-40933",
@@ -821,6 +825,7 @@
       "CVE-2020-25079",
       "CVE-2021-22681",
       "CVE-2021-26828",
+      "CVE-2022-1471",
       "CVE-2022-37055",
       "CVE-2022-40799",
       "CVE-2022-48503",
@@ -830,12 +835,15 @@
       "CVE-2023-33538",
       "CVE-2023-3519",
       "CVE-2023-39780",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-12987",
       "CVE-2024-1709",
       "CVE-2024-21762",
       "CVE-2024-37079",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-43468",
       "CVE-2024-50050",
       "CVE-2024-56145",
@@ -985,6 +993,7 @@
       "CVE-2026-32202",
       "CVE-2026-33017",
       "CVE-2026-33634",
+      "CVE-2026-34159",
       "CVE-2026-34197",
       "CVE-2026-34621",
       "CVE-2026-3502",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.035,
+      "current_rate": 0.034,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -12035,6 +12035,528 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Keras safe_mode (added for CVE-2025-1550) is bypassable through 3.10.0: a crafted .keras archive executes code via built-in module arguments even with safe_mode on (CWE-502). The first fix was incomplete."
   },
+  "CVE-2024-42479": {
+    "name": "llama.cpp RPC Backend SET_TENSOR Out-of-Bounds Write RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 9.8 (CRITICAL); GitHub scored it 10.0 (Scope:Changed). An unsafe data pointer in the rpc_tensor struct enables a write-what-where primitive (CWE-787/CWE-123).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (pwner.gg and retr0.blog walkthroughs of llama.cpp RPC RCE): an unauthenticated TCP client to the RPC server sends crafted rpc_tensor messages to read/write arbitrary memory and, chaining the primitives, execute code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via llama.cpp (ggml) GitHub security advisories and independent exploitation research. The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic memory-safety in the inference RPC backend, notable for the incomplete first fix.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "llama.cpp prior to build b3561.",
+    "affected_versions": [
+      "llama.cpp < b3561"
+    ],
+    "vector": "llama.cpp's RPC backend deserializes a rpc_tensor whose data pointer is attacker-controlled and unvalidated, so a SET_TENSOR message yields an arbitrary-address write (write-what-where, CWE-123). An unauthenticated attacker with TCP access to the RPC server (default port 50052) achieves remote code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated TCP access to the RPC server (default port 50052).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama.cpp to build b3561 or later; rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama.cpp to build b3561 or later. Never expose the RPC server (default port 50052) to untrusted networks; it has no authentication. Bind it to localhost or a trusted segment and run least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime's RPC backend as managed, RCE-bearing software, nor that the first fix left the GRAPH_COMPUTE path unpatched.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the inference RPC backend's tensor deserialization as a memory-safety surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the inference RPC backend as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated inference-RPC memory-corruption RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating deserialized tensor bounds in the inference RPC backend.",
+      "AU-ISM-1546": "Patch-application control does not single out the local-LLM runtime's RPC backend.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the inference RPC backend's deserialized tensors as untrusted input requiring bounds validation on every command path; per-command patching left GRAPH_COMPUTE exploitable."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (llama.cpp is the most widely used local LLM runtime) minus patch 15. Note: unauthenticated network reachability of the RPC server raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-42479",
+    "cwe_refs": [
+      "CWE-787",
+      "CWE-123"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Inbound TCP connections to the llama.cpp RPC server (default port 50052) from untrusted hosts.",
+        "RPC messages carrying rpc_tensor structures with a data pointer or buffer field that does not reference a server-allocated buffer (buffer=0 / out-of-range).",
+        "llama.cpp RPC worker crashes, anomalous memory access, or process spawning following GRAPH_COMPUTE / SET_TENSOR / GET_TENSOR traffic.",
+        "llama.cpp at an affected build (llama.cpp < b3561) with the RPC server reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the ggml/llama.cpp GitHub security advisory (https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj) and the public exploitation research (https://pwner.gg/blog/2024-10-03-llama-cpp-cves ; https://retr0.blog/blog/llama-rpc-rce), plus NVD CVE-2024-42479 (CWE-787/CWE-123). The unvalidated rpc_tensor data pointer / buffer=0 deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-42479",
+      "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
+      "https://pwner.gg/blog/2024-10-03-llama-cpp-cves"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-42479",
+        "url": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-42479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42479",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-787/CWE-123; NIST CVSS 9.8) + the ggml/llama.cpp GitHub security advisory + public exploitation research. Member of the llama.cpp RPC-backend memory-safety family; CVE-2026-34159 is the GRAPH_COMPUTE path the b3561 fix for CVE-2024-42478/42479 left unpatched.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "llama.cpp's RPC backend SET_TENSOR uses an unvalidated rpc_tensor data pointer, giving an unauthenticated attacker a write-what-where primitive and RCE; fixed in b3561."
+  },
+  "CVE-2024-42478": {
+    "name": "llama.cpp RPC Backend GET_TENSOR Out-of-Bounds Read",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 9.8 (CRITICAL). An unsafe data pointer in the rpc_tensor struct enables arbitrary-address reads (CWE-125), a primitive for pointer leaks / ASLR bypass that chains into the write-what-where RCE.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (pwner.gg and retr0.blog walkthroughs of llama.cpp RPC RCE): an unauthenticated TCP client to the RPC server sends crafted rpc_tensor messages to read/write arbitrary memory and, chaining the primitives, execute code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via llama.cpp (ggml) GitHub security advisories and independent exploitation research. The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic memory-safety in the inference RPC backend, notable for the incomplete first fix.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "llama.cpp prior to build b3561.",
+    "affected_versions": [
+      "llama.cpp < b3561"
+    ],
+    "vector": "llama.cpp's RPC backend deserializes a rpc_tensor whose data pointer is attacker-controlled and unvalidated, so a GET_TENSOR message yields an arbitrary-address read (CWE-125). An unauthenticated attacker with TCP access to the RPC server leaks memory (pointers, ASLR bypass), enabling reliable exploitation of the companion write primitive.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated TCP access to the RPC server (default port 50052).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama.cpp to build b3561 or later; rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama.cpp to build b3561 or later. Never expose the RPC server (default port 50052) to untrusted networks; it has no authentication. Bind it to localhost or a trusted segment and run least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime's RPC backend as managed, RCE-bearing software, nor that the first fix left the GRAPH_COMPUTE path unpatched.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the inference RPC backend's tensor deserialization as a memory-safety surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the inference RPC backend as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated inference-RPC memory-corruption RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating deserialized tensor bounds in the inference RPC backend.",
+      "AU-ISM-1546": "Patch-application control does not single out the local-LLM runtime's RPC backend.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the inference RPC backend's deserialized tensors as untrusted input requiring bounds validation on every command path; per-command patching left GRAPH_COMPUTE exploitable."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (llama.cpp is the most widely used local LLM runtime) minus patch 15. Note: unauthenticated network reachability of the RPC server raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-42478",
+    "cwe_refs": [
+      "CWE-125"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Inbound TCP connections to the llama.cpp RPC server (default port 50052) from untrusted hosts.",
+        "RPC messages carrying rpc_tensor structures with a data pointer or buffer field that does not reference a server-allocated buffer (buffer=0 / out-of-range).",
+        "llama.cpp RPC worker crashes, anomalous memory access, or process spawning following GRAPH_COMPUTE / SET_TENSOR / GET_TENSOR traffic.",
+        "llama.cpp at an affected build (llama.cpp < b3561) with the RPC server reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the ggml/llama.cpp GitHub security advisory (https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9) and the public exploitation research (https://pwner.gg/blog/2024-10-03-llama-cpp-cves ; https://retr0.blog/blog/llama-rpc-rce), plus NVD CVE-2024-42478 (CWE-125). The unvalidated rpc_tensor data pointer / buffer=0 deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-42478",
+      "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9",
+      "https://pwner.gg/blog/2024-10-03-llama-cpp-cves"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-42478",
+        "url": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-42478",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42478",
+        "severity": "critical",
+        "published_date": "2024-08-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-125; NIST CVSS 9.8) + the ggml/llama.cpp GitHub security advisory + public exploitation research. Member of the llama.cpp RPC-backend memory-safety family; CVE-2026-34159 is the GRAPH_COMPUTE path the b3561 fix for CVE-2024-42478/42479 left unpatched.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "llama.cpp's RPC backend GET_TENSOR uses an unvalidated rpc_tensor data pointer, giving an unauthenticated attacker an arbitrary-address read (pointer leak / ASLR bypass); fixed in b3561."
+  },
+  "CVE-2026-34159": {
+    "name": "llama.cpp RPC Backend GRAPH_COMPUTE deserialize_tensor Bounds Bypass RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0 (CWE-119); the 2024 GET/SET_TENSOR fix (b3561) never covered the GRAPH_COMPUTE command path.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (pwner.gg and retr0.blog walkthroughs of llama.cpp RPC RCE): an unauthenticated TCP client to the RPC server sends crafted rpc_tensor messages to read/write arbitrary memory and, chaining the primitives, execute code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via llama.cpp (ggml) GitHub security advisories and independent exploitation research. The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic memory-safety in the inference RPC backend, notable for the incomplete first fix.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "llama.cpp prior to build b8492 (the GRAPH_COMPUTE path was not covered by the b3561 fix for CVE-2024-42478 / CVE-2024-42479).",
+    "affected_versions": [
+      "llama.cpp < b8492"
+    ],
+    "vector": "llama.cpp's RPC backend deserialize_tensor() skips bounds validation when a tensor's buffer field is 0 (CWE-119). Because the b3561 fix only hardened the GET_TENSOR / SET_TENSOR handlers, a malicious GRAPH_COMPUTE message still reaches the unvalidated path, giving an unauthenticated attacker arbitrary memory read/write, ASLR bypass, and remote code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated TCP access to the RPC server (default port 50052).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama.cpp to build b8492 or later; rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama.cpp to build b8492 or later. Never expose the RPC server (default port 50052) to untrusted networks; it has no authentication. Bind it to localhost or a trusted segment and run least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime's RPC backend as managed, RCE-bearing software, nor that the first fix left the GRAPH_COMPUTE path unpatched.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the inference RPC backend's tensor deserialization as a memory-safety surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the inference RPC backend as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated inference-RPC memory-corruption RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating deserialized tensor bounds in the inference RPC backend.",
+      "AU-ISM-1546": "Patch-application control does not single out the local-LLM runtime's RPC backend.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the inference RPC backend's deserialized tensors as untrusted input requiring bounds validation on every command path; per-command patching left GRAPH_COMPUTE exploitable."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (llama.cpp is the most widely used local LLM runtime) minus patch 15. Note: unauthenticated network reachability of the RPC server raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-34159",
+    "cwe_refs": [
+      "CWE-119"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Inbound TCP connections to the llama.cpp RPC server (default port 50052) from untrusted hosts.",
+        "RPC messages carrying rpc_tensor structures with a data pointer or buffer field that does not reference a server-allocated buffer (buffer=0 / out-of-range).",
+        "llama.cpp RPC worker crashes, anomalous memory access, or process spawning following GRAPH_COMPUTE / SET_TENSOR / GET_TENSOR traffic.",
+        "llama.cpp at an affected build (llama.cpp < b8492) with the RPC server reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the ggml/llama.cpp GitHub security advisory (https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw) and the public exploitation research (https://pwner.gg/blog/2024-10-03-llama-cpp-cves ; https://retr0.blog/blog/llama-rpc-rce), plus NVD CVE-2026-34159 (CWE-119). The unvalidated rpc_tensor data pointer / buffer=0 deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-34159",
+      "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw",
+      "https://pwner.gg/blog/2024-10-03-llama-cpp-cves"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-34159",
+        "url": "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw",
+        "severity": "critical",
+        "published_date": "2026-04-01"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-34159",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34159",
+        "severity": "critical",
+        "published_date": "2026-04-01"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-119; NIST CVSS 9.8) + the ggml/llama.cpp GitHub security advisory + public exploitation research. Member of the llama.cpp RPC-backend memory-safety family; CVE-2026-34159 is the GRAPH_COMPUTE path the b3561 fix for CVE-2024-42478/42479 left unpatched.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "llama.cpp's RPC backend deserialize_tensor() still skips bounds checks via GRAPH_COMPUTE (buffer=0) — the GRAPH_COMPUTE path the b3561 fix missed — giving unauthenticated RCE; fixed in b8492."
+  },
+  "CVE-2023-43654": {
+    "name": "PyTorch TorchServe Management API SSRF to Remote Code Execution (ShellTorch)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). The TorchServe management interface accepts model-configuration uploads from any domain (SSRF, CWE-918), and with the default all-interfaces bind and no authentication this becomes unauthenticated remote code execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Oligo Security's ShellTorch research (and the vendor advisory): an unauthenticated request to the TorchServe management API registers a malicious model from a remote URL, leading to code execution.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShellTorch) against PyTorch's TorchServe model server (maintained by Amazon and Meta).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; SSRF-to-RCE on an AI model server.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Oligo found thousands of exposed TorchServe instances (including at major organizations); research disclosure with a coordinated fix, no confirmed adversary in-the-wild exploitation reported as of curation.",
+    "affected": "PyTorch TorchServe 0.1.0 through 0.8.1 (fixed 0.8.2). The management API binds to all interfaces by default and has no built-in authentication.",
+    "affected_versions": [
+      "PyTorch TorchServe >= 0.1.0, <= 0.8.1"
+    ],
+    "vector": "TorchServe's management API allows registering a model from a remote URL the server then fetches and writes to disk (SSRF, CWE-918). Because the management console binds to all interfaces by default and TorchServe has no authentication, an unauthenticated remote attacker uploads a malicious model configuration and achieves remote code execution — the core of the ShellTorch chain (Oligo).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. PR:N — the default-configured management API is unauthenticated and network-exposed.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an upgrade to TorchServe 0.8.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade TorchServe to 0.8.2 or later, bind the management API to loopback only, enable authentication / a token, and restrict allowed_urls so model configs cannot be fetched from arbitrary domains."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is not enforced on the AI model server's management API; the default deployment is open and network-exposed.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI model servers and their config/deserialization paths as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model server's management API / YAML config parsing as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI model server's management plane as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated model-server takeover as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI model server's management API.",
+      "AU-ISM-1546": "Patch-application control does not single out AI model servers and their bundled deserialization libraries.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the model server's management API + config deserialization as an untrusted, RCE-bearing surface; default-open management plus unsafe YAML turns config upload into full takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 minus patch 15. Note: thousands of TorchServe instances were found exposed, raising operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-43654",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "TorchServe management API (default port 8081) reachable from untrusted networks without authentication.",
+        "Model-register requests to TorchServe referencing a remote URL (model archive / config) controlled by an external party.",
+        "TorchServe fetching and writing files from attacker-supplied URLs, or spawning processes after a model registration.",
+        "TorchServe 0.1.0–0.8.1 with the management API bound to all interfaces — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Oligo Security's ShellTorch research (https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabilities-in-pytorch-model-server), the vendor advisory (https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w), and NVD CVE-2023-43654 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-43654",
+      "https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabilities-in-pytorch-model-server",
+      "https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory (pytorch/serve)",
+        "advisory_id": "CVE-2023-43654",
+        "url": "https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w",
+        "severity": "critical",
+        "published_date": "2023-09-28"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-43654",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43654",
+        "severity": "critical",
+        "published_date": "2023-09-28"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-918; NIST CVSS 9.8) + Oligo Security's ShellTorch research + the pytorch/serve advisory. Part of the ShellTorch TorchServe takeover chain.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PyTorch TorchServe's unauthenticated, all-interfaces management API fetches and writes remote model configs (SSRF, CWE-918), giving unauthenticated RCE; the core of ShellTorch; fixed in 0.8.2."
+  },
+  "CVE-2022-1471": {
+    "name": "SnakeYAML Constructor Unsafe Deserialization RCE (ShellTorch chain)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); the CNA (Google) scored 8.3 (HIGH, PR:L). SnakeYAML's Constructor does not restrict instantiable types, so parsing attacker-controlled YAML yields arbitrary object instantiation and code execution (CWE-502 / CWE-20). In ShellTorch this is the deserialization leg reached via the TorchServe model config.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Oligo Security's ShellTorch research (and the vendor advisory): parsing attacker-controlled YAML with the default SnakeYAML Constructor instantiates arbitrary types and executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShellTorch) as the deserialization leg of the TorchServe chain; SnakeYAML itself is a widely used Java YAML library.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic unsafe deserialization.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Oligo found thousands of exposed TorchServe instances (including at major organizations); research disclosure with a coordinated fix, no confirmed adversary in-the-wild exploitation reported as of curation.",
+    "affected": "SnakeYAML before 2.0 (fixed in 2.0, which defaults to SafeConstructor). Reached in ShellTorch through TorchServe's YAML model-config parsing.",
+    "affected_versions": [
+      "SnakeYAML < 2.0"
+    ],
+    "vector": "SnakeYAML's default Constructor instantiates arbitrary Java types named in the YAML, so deserializing attacker-controlled YAML executes code (CWE-502). Any service that parses untrusted YAML with the unsafe Constructor is exposed; in the ShellTorch chain TorchServe parses an attacker-supplied model configuration, turning the SSRF into full RCE.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. NVD assesses PR:N (CNA Google assessed PR:L).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an upgrade to SnakeYAML 2.0 or later (SafeConstructor default); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade SnakeYAML to 2.0 or later, or construct YAML parsers with SafeConstructor. For TorchServe, also apply CVE-2023-43654 mitigations so untrusted model configs never reach the parser."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is not enforced on the AI model server's management API; the default deployment is open and network-exposed.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI model servers and their config/deserialization paths as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model server's management API / YAML config parsing as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI model server's management plane as a privileged, unauthenticated control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated model-server takeover as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI model server's management API.",
+      "AU-ISM-1546": "Patch-application control does not single out AI model servers and their bundled deserialization libraries.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the model server's management API + config deserialization as an untrusted, RCE-bearing surface; default-open management plus unsafe YAML turns config upload into full takeover."
+    },
+    "atlas_refs": [
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 minus patch 15. Note: thousands of TorchServe instances were found exposed, raising operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2022-1471",
+    "cwe_refs": [
+      "CWE-502",
+      "CWE-20"
+    ],
+    "iocs": {
+      "behavioral": [
+        "A service parsing untrusted YAML with SnakeYAML's default Constructor instantiating unexpected Java types (e.g. ScriptEngine, URLClassLoader) during load.",
+        "YAML payloads containing !!javax / !!java type tags or remote class-loading constructs reaching a YAML parser.",
+        "Process or class-loading activity triggered by YAML deserialization of externally supplied content.",
+        "SnakeYAML < 2.0 on the classpath of a service that parses untrusted YAML — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Oligo Security's ShellTorch research (https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabilities-in-pytorch-model-server), the vendor advisory (https://github.com/advisories/GHSA-mjmj-j48q-9wg2), and NVD CVE-2022-1471 (CWE-502/CWE-20)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
+      "https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabilities-in-pytorch-model-server",
+      "https://github.com/advisories/GHSA-mjmj-j48q-9wg2"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "SnakeYAML / NVD",
+        "advisory_id": "CVE-2022-1471",
+        "url": "https://github.com/advisories/GHSA-mjmj-j48q-9wg2",
+        "severity": "critical",
+        "published_date": "2022-12-01"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2022-1471",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
+        "severity": "critical",
+        "published_date": "2022-12-01"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502/CWE-20; NIST CVSS 9.8) + Oligo Security's ShellTorch research + the SnakeYAML advisory. Part of the ShellTorch TorchServe takeover chain.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SnakeYAML's default Constructor deserializes arbitrary types from untrusted YAML (CWE-502), enabling RCE; fixed in 2.0 (SafeConstructor default). The deserialization leg of the ShellTorch TorchServe chain."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",