What is CVE-2026-2069?

CVE-2026-2069 is a low-severity vulnerability in Ggml-org Llama.cpp, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 3.3/10. Published 2026-02-06.

How severe is CVE-2026-2069?

Low severity. CVSS v3 base score is 3.3 out of 10.

Buffer overflow in Ggml-org Llama.cpp

CVE-2026-2069

A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This manipulation causes stack-based buffer…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.3 (Low). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

Affected products

Ggml-org Llama.cpp — versions 55abc39

Weakness classification (CWE)

References

VDB-344636 | ggml-org llama.cpp GBNF Grammar llama-grammar.cpp llama_grammar_advance_stack stack-based overflow (technical-description, vdb-entry)
VDB-344636 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #745263 | llama.cpp commit 55abc39 Stack-based Buffer Overflow (third-party-advisory)
cna@vuldb.com (issue-tracking)
cna@vuldb.com (issue-tracking)
cna@vuldb.com (exploit)
cna@vuldb.com (issue-tracking, patch)
cna@vuldb.com (product)

Frequently asked questions

What is CVE-2026-2069?: CVE-2026-2069 is a low-severity vulnerability in Ggml-org Llama.cpp, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 3.3/10. Published 2026-02-06.
How severe is CVE-2026-2069?: Low severity. CVSS v3 base score is 3.3 out of 10.