CVE-2026-10298: whisper.cpp Null Pointer Dereference Vulnerability – Local Denial of Service
A null pointer dereference vulnerability exists in whisper.cpp versions up to 1.8.2, specifically in the model loading function. An attacker with local system access can trigger this flaw to cause the application to crash or become unavailable. The vulnerability requires user privileges to exploit and does not directly compromise data confidentiality or integrity. Public exploit code is available, though the impact remains limited to denial of service on the affected system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-404, CWE-476
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in ggml-org whisper.cpp up to 1.8.2. This vulnerability affects the function whisper_model_load of the file ggml/src/ggml.c. The manipulation results in null pointer dereference. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10298 is a null pointer dereference flaw in the whisper_model_load function within ggml/src/ggml.c of ggml-org whisper.cpp up to version 1.8.2. The vulnerability stems from improper input validation during model file loading, allowing a local, low-privileged user to provide a specially crafted model file that causes the application to dereference a null pointer. This results in an unhandled exception and process termination. The flaw maps to CWE-404 (Improper Resource Validation) and CWE-476 (Null Pointer Dereference), indicating inadequate checks before pointer operations.
Business impact
The practical impact is limited but should not be ignored in environments where whisper.cpp processes untrusted model files. Affected deployments may experience service disruption if local users can supply malicious model files. For organizations running whisper.cpp as part of speech-to-text pipelines or inference services, this could trigger unplanned downtime. However, the vulnerability does not enable privilege escalation, data theft, or remote code execution. The risk is primarily operational availability on systems where model loading is exposed to local attackers or where user-supplied models are accepted without sandboxing.
Affected systems
The vulnerability affects ggml-org whisper.cpp versions up to and including 1.8.2. Any deployment running these versions on systems where local users can supply model files or trigger model loading is at potential risk. This includes development environments, local inference services, and internal speech processing pipelines that accept model inputs from multiple users or untrusted sources. Systems running versions newer than 1.8.2 are unaffected if patches have been applied; verify your deployed version against the whisper.cpp release notes.
Exploitability
Exploitation requires local system access and low-level user privileges. An attacker must be able to either place a malicious model file in a location where whisper.cpp loads it, or control the model file path supplied to the whisper_model_load function. The barrier to exploitation is intentionally high—remote exploitation is not feasible. Public exploit code now exists, removing the need for custom payload development, but the local-only attack vector constrains real-world risk. Organizations with strong filesystem access controls and input validation reduce their exposure substantially.
Remediation
Upgrade whisper.cpp to a version newer than 1.8.2. Consult the official ggml-org whisper.cpp repository and release notes for the latest stable build. Additionally, implement input validation on model file paths and implement filesystem permissions that restrict local user access to model directories. Where possible, run whisper.cpp in a sandboxed environment or container with minimal privileges to limit the blast radius of a crash.
Patch guidance
Check the ggml-org whisper.cpp GitHub repository for releases published after 1.8.2. Apply the latest available version through your build or package management system. Verify that model loading functions are exercised during testing to confirm the null pointer issue is resolved. If your deployment uses a frozen or pinned version of whisper.cpp, review whether your build includes any backported fixes or security patches from upstream before 1.8.2 was released.
Detection guidance
Monitor for repeated crashes or restarts of whisper.cpp processes on systems processing user-supplied model files. Inspect application logs and system error logs for null pointer dereference exceptions or segmentation faults originating from ggml/src/ggml.c. Audit filesystem access patterns to identify whether local users are able to write to directories where model files are stored. If feasible, enable core dumps or crash reporting to correlate failure timestamps with suspicious model file submissions. Implement alerting on unexpected process terminations in speech-processing pipelines.
Why prioritize this
While the CVSS score of 3.3 reflects the limited attack surface and low severity, this vulnerability should not be deprioritized entirely. The release of public exploit code elevates operational risk in environments where model loading is exposed to local attackers. Organizations should treat this as a medium-priority patch window item—not an emergency, but worth scheduling within the next 1-2 quarterly maintenance cycles. Teams managing speech-to-text or inference services internally should prioritize higher if local user model submissions are part of normal operations.
Risk score, explained
The CVSS 3.1 score of 3.3 (LOW severity) reflects a local-only attack vector, low privileges required, and no impact on data confidentiality or integrity. The sole impact is availability—an attacker can crash the process. The score does not account for the availability of public exploit code, which is noted separately. In contexts where whisper.cpp is used for mission-critical speech processing or operates in multi-tenant environments, the operational risk may feel higher than the numeric score suggests; adjust your organizational risk tolerance accordingly.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access and user-level privileges. Remote attackers cannot trigger it over the network. This constraint significantly limits the practical threat surface for most organizations.
Will this crash cause data loss or compromise sensitive information?
No. The null pointer dereference results only in a denial of service—the affected process crashes. No data is exfiltrated, encrypted, or permanently damaged. However, if the crashed service is relied upon for real-time operations, the interruption itself may be disruptive.
What should I do if I cannot upgrade immediately?
Restrict local user access to directories containing model files. Implement filesystem permissions so that unprivileged users cannot supply or modify models. Run whisper.cpp with the minimal privileges necessary. Monitor for unexpected process crashes in your logs. Plan an upgrade window within your next maintenance cycle.
Is there a workaround if I remain on 1.8.2?
There is no reliable workaround that eliminates the risk. Mitigations are primarily preventive: control who can supply model files, validate file integrity where possible, and run the process in a restricted environment. Upgrading remains the only definitive fix.
This analysis is based on disclosed vulnerability data as of June 2026. Verify patch availability and version numbers against the official ggml-org whisper.cpp repository and vendor advisories. CVSS scores are provided by the source data and reflect standard environmental assumptions; adjust your organization's risk assessment based on your specific threat model and deployment context. Public exploit code existence does not guarantee exploitation in your environment if access controls are properly enforced. This page does not constitute legal advice or a substitute for security consultation with your vendor or internal security team. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10197LOWAssimp glTF2 Null Pointer Dereference Denial of Service
- CVE-2026-10198LOWAssimp glTF Importer Null Pointer Dereference DoS Vulnerability
- CVE-2026-10199LOWAssimp Null Pointer Dereference in glTF2 Parsing
- CVE-2026-10201LOWAssimp FBX Divide-by-Zero Denial of Service
- CVE-2026-10295LOWDenial of Service in SourceCodester Customer Review App 1.0
- CVE-2026-10705LOWDask HyperLogLog Resource Exhaustion Vulnerability
- CVE-2026-10775LOWSGLang Cache Handler Denial-of-Service Vulnerability (v0.5.11)
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity