| # GGUF-PY-F001 Evidence Pack — Nested ARRAY Recursion DoS |
|
|
| ## Finding |
|
|
| Python `GGUFReader` processes nested GGUF ARRAY metadata recursively. A crafted GGUF file with deeply nested ARRAY metadata triggers a Python `RecursionError`, causing Python-side model/tooling load failure. |
|
|
| ## Confirmed live-repo proof |
|
|
| The proof asserts that Python imports `gguf` from the live mounted repo: |
|
|
| - `gguf.__file__ = /target/gguf-py/gguf/__init__.py` |
| - `GGUFReader source = /target/gguf-py/gguf/gguf_reader.py` |
|
|
| The native binary used is from the live mounted repo: |
|
|
| - `/target/build/bin/llama-gguf` |
| - version: `9046 (a290ce626)` |
|
|
| ## Confirmed crafted file |
|
|
| The PoC GGUF contains: |
|
|
| - magic: GGUF |
| - version: 3 |
| - n_tensors: 0 |
| - n_kv: 1 |
| - one metadata key |
| - deeply nested ARRAY metadata |
|
|
| ## Confirmed Python behavior |
|
|
| Python live-repo `GGUFReader` raises `RecursionError` while loading the crafted file. |
|
|
| ## Expected security impact |
|
|
| This is not RCE. The impact is Python-side denial of service / malformed model processing failure in tooling, scanning, or ingestion paths that use `gguf-py` to inspect externally supplied GGUF files. |
|
|
| ## Non-claims |
|
|
| This pack does not claim native C++ memory corruption, RCE, privilege escalation, or data exfiltration. |
|
|
