I've tried this locally on a known-vulnerable piece of software using the hugginface Q8 model + llama. It did find the vuln when given the entrypoint in the lib and user-controlled buffer. Otherwise it produced false positives.