MLX has Wild Pointer Dereference in load_gguf()

Vulnerability

Overview

CVE-2025-62609 describes a segmentation fault in the MLX array framework for Apple silicon, specifically in the mlx::core::load_gguf() function when processing a malicious GGUF file. The root cause lies in the extract_tensor_data() function within mlx/io/gguf.cpp. The function retrieves a pointer (tensor->weights_data) from the external gguflib library and passes it directly to memcpy without any validation. If the pointer is invalid or points to an inaccessible memory region, the operation triggers a segmentation fault, crashing the application [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a specially designed GGUF file that contains an invalid or null weights_data pointer. No authentication or special privileges are required; the victim only needs to load the malicious file using MLX's mx.load() function with the format='gguf' argument. The crash occurs immediately upon parsing the file, making it a straightforward denial-of-service vector [1][2].

Impact

The primary impact is a denial of service (application crash). The advisory does not indicate that arbitrary code execution or data corruption is possible; the vulnerability is limited to causing the MLX process to terminate unexpectedly. This can disrupt workflows that rely on loading untrusted GGUF files, such as when processing user-supplied models in a server or research environment [1][2].

Mitigation

The issue has been patched in MLX version 0.29.4. Users are strongly advised to upgrade to this version or later. The fix adds a null-pointer check before dereferencing tensor->weights_data, throwing a runtime error instead of crashing. No workarounds are documented; the safest mitigation is to update the library [1][2].