llama.cpp GGUF tampering exposes live steering risk

This is a sharp reminder that local LLM security is an infrastructure problem, not just a prompt-security problem.

• –The attack targets shared, writable model volumes, which are common in self-hosted and containerized inference setups
• –Because `llama.cpp` reads mmap-backed GGUF weights from disk-backed pages, file changes can propagate into live serving behavior immediately
• –The PoC is narrow rather than universal: it depends on default mmap behavior, writable access to the model file, and a compatible tensor/quantization layout
• –The mitigation advice is practical and high-signal for operators: mount model directories read-only, isolate serving permissions, avoid shared writable paths, and use `--no-mmap` where the threat model warrants it
• –For AI infra teams, this looks less like a novelty hack and more like a real integrity gap in local inference deployments