Cybersecurity researchers have disclosed a essential safety vulnerability in Ollama that, if efficiently exploited, might enable a distant, unauthenticated attacker to leak its total course of reminiscence.
The out-of-bounds learn flaw, which doubtless impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS rating: 9.1). It has been codenamed Bleeding Llama by Cyera.
Ollama is a well-liked open-source framework that permits massive language fashions (LLMs) to be run domestically as a substitute of on the cloud. On GitHub, the undertaking has greater than 171,000 stars and has been forked over 16,100 instances.
“Ollama earlier than 0.17.1 comprises a heap out-of-bounds learn vulnerability within the GGUF mannequin loader,” in keeping with a description of the flaw in CVE.org. “The /api/create endpoint accepts an attacker-supplied GGUF file during which the declared tensor offset and measurement exceed the file’s precise size; throughout quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads previous the allotted heap buffer.”
GGUF, brief for GPT-Generated Unified Format, is a file format that is used to retailer massive language fashions in order that they are often simply loaded and executed domestically.
The issue, at its core, stems from Ollama’s use of the unsafe package deal when making a mannequin from a GGUF file, particularly in a perform named “WriteTo(),” thereby making it potential to execute operations that bypass the reminiscence security ensures of the programming language.
In a hypothetical assault state of affairs, a nasty actor can ship a specifically crafted GGUF file to an uncovered Ollama server with the tensor’s form set to a really massive quantity to set off the out-of-bounds heap learn throughout mannequin creation utilizing the /api/create endpoint. Profitable exploitation of the vulnerability might leak delicate information from the Ollama course of reminiscence.
This will likely embody atmosphere variables, API keys, system prompts, and concurrent customers’ dialog information. This information might be exfiltrated by importing the ensuing mannequin artifact by means of the /api/push endpoint to an attacker-controlled registry.
The exploitation chain unfolds over three steps –
- Add a crafted GGUF file with an inflated tensor form to a network-accessible Ollama server utilizing an HTTP POST request.
- Use the /api/create endpoint to activate mannequin creation, firing the out-of-bounds learn vulnerability.
- Use the /api/push endpoint to exfiltrate information from the heap reminiscence to an exterior server.
“An attacker can study mainly something in regards to the group out of your AI inference — API keys, proprietary code, buyer contracts, and rather more,” Cyera safety researcher Dor Attias mentioned.
“On prime of that, engineers typically join Ollama to instruments like Claude Code. In these circumstances, the affect is even larger — all instrument outputs circulate to the Ollama server, get saved within the heap, and probably find yourself in an attacker’s arms.”
Customers are suggested to use the most recent fixes, restrict community entry, audit operating situations for web publicity, and isolate and safe them behind a firewall. It is also beneficial to deploy an authentication proxy or API gateway in entrance of all Ollama situations, because the REST API doesn’t present authentication out of the field.
Two Unpatched Flaws in Ollama Result in Persistent Code Execution
The event comes as researchers at Striga detailed two vulnerabilities in Ollama’s Home windows replace mechanism that may be chained into persistent code execution. The shortcomings stay unpatched following disclosure on January 27, 2026, and have been revealed following the elapse of a 90-day disclosure interval.
In line with Bartłomiej “Bartek” Dmitruk, co-founder of Striga, the Home windows desktop consumer auto-starts on login from the Home windows Startup folder, listens on 127.0.0[.]1:11434, and periodically polls for updates within the background by way of the /api/replace endpoint to run any pending updates on the following app begin.
The recognized vulnerabilities relate to a path traversal and a lacking signature test that, when mixed with the on-login routine, can allow an attacker with the flexibility to affect replace responses to execute arbitrary code at each login. The issues are listed beneath –
- CVE-2026-42248 (CVSS rating: 7.7) – A lacking signature verification vulnerability that doesn’t confirm the replace binary previous to set up, in contrast to its macOS model.
- CVE-2026-42249 (CVSS rating: 7.7) – A path traversal vulnerability that stems from the truth that the Home windows updater creates the native path for the installer’s staging listing immediately from HTTP response headers with out sanitizing it.
To use the issues, the attacker must be answerable for an replace server that is reachable by the sufferer’s Ollama consumer.In such a scenario, it might result in a state of affairs the place an arbitrary executable is provided as a part of the replace course of and will get written to the Home windows Startup folder with out elevating any signature test points.
To have the ability to management the replace response, one method entails overriding the OLLAMA_UPDATE_URL to level the consumer at an area server on plain HTTP. The assault chain additionally assumes AutoUpdateEnabled is on, which is the default setting.
What’s extra, the lacking integrity test can result in code execution by itself with out the necessity for exploiting the trail traversal vulnerability. On this case, the installer is dropped into the anticipated staging listing. Throughout the subsequent launch from the Startup folder, the replace course of is invoked with out re-verifying the signature, inflicting the attacker’s code to be executed as a substitute.
That being mentioned, the distant code execution is just not persistent, as the following reputable replace overwrites the staged file. By including the trail traversal to the combo, a nasty actor can redirect the executable to be written outdoors the standard path and obtain persistent code execution.
In line with CERT Polska, which took over the coordinated disclosure course of, Ollama for Home windows variations 0.12.10 by means of 0.17.5 are weak to the 2 flaws. Within the interim, customers are beneficial to show off automated updates and take away any current Ollama shortcut from the Startup folder (“%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup”) to disable the silent on-login execution pathway.
“Any Ollama for Home windows set up operating model 0.12.10 by means of 0.22.0 is weak,” Dmitruk mentioned. “The trail traversal writes attacker-chosen executables into the Home windows Startup folder. The lacking signature verification retains them there: the post-write cleanup that might take away unsigned information on a working updater is a no-op on Home windows. On the following login, Home windows runs no matter was left behind.”
“The chain produces persistent, silent code execution on the privilege degree of the consumer operating Ollama. Life like payloads embody reverse shells, info-stealers exfiltrating browser secrets and techniques and SSH keys, or droppers that pivot to further persistence mechanisms. Something that runs as the present consumer. Eradicating the dropped binary from the Startup folder ends the persistence, however the underlying flaws stay.”
