Skip to main content
Emerging Threats

Ollama Vulnerability Exposes Servers to Remote Memory Leak

Server room with rows of equipment and a single server in the foreground, GGUF file on nearby surface.

Likely affecting over 300,000 servers worldwide, a newly disclosed out‑of‑bounds read in Ollama is tracked as CVE-2026-7482 (CVSS 9.1) and has been codenamed "Bleeding Llama" by Cyera.

How CVE-2026-7482 (Bleeding Llama) operates

According to the CVE entry cited by researchers, "Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader." The flaw arises when the /api/create endpoint accepts a crafted GGUF file whose declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer.

The root cause is Ollama's use of the language's unsafe package when creating a model from a GGUF file, specifically in a function named WriteTo(). That use permits operations that bypass the programming language's memory-safety guarantees and enables a heap read beyond allocated memory.

Attack chain and the data an attacker can take

Cyera and other researchers map the exploitation chain to three HTTP actions against a network‑accessible Ollama server: (1) upload a crafted GGUF file with an inflated tensor shape via HTTP POST, (2) trigger model creation on /api/create to fire the out‑of‑bounds read, and (3) exfiltrate heap contents by uploading the resulting model artifact through /api/push to an attacker‑controlled registry.

Successful exploitation "could leak sensitive data from the Ollama process memory," the advisory states. Examples the researchers list include environment variables, API keys, system prompts, and concurrent users' conversation data. Cyera security researcher Dor Attias warned, "An attacker can learn basically anything about the organization from your AI inference — API keys, proprietary code, customer contracts, and much more." He added that integrations with external tools can amplify impact: "On top of that, engineers often connect Ollama to tools like Claude Code. In those cases, the impact is even higher -- all tool outputs flow to the Ollama server, get saved in the heap, and potentially end up in an attacker's hands."

Two separate Windows update flaws that enable persistence

In parallel, Striga researchers disclosed two vulnerabilities in Ollama's Windows update mechanism that can be chained into persistent code execution. CERT Polska handled the coordinated disclosure after the 90‑day window elapsed.

  • CVE-2026-42248 (CVSS 7.7): a missing signature verification that does not verify the update binary prior to installation on Windows, unlike the macOS updater.
  • CVE-2026-42249 (CVSS 7.7): a path traversal vulnerability in which the Windows updater builds the installer's staging directory path directly from HTTP response headers without sanitization.

Bartłomiej "Bartek" Dmitruk, co‑founder of Striga, described how the Windows client autostarts from the Windows Startup folder, listens on 127.0.0.1:11434, and polls /api/update. If an attacker controls the update response (for example by overriding OLLAMA_UPDATE_URL or manipulating a reachable update server) and AutoUpdateEnabled is on (the default), an arbitrary executable can be supplied as an update and written into the Startup folder. Dmitruk cautioned that "the chain produces persistent, silent code execution at the privilege level of the user running Ollama," and that "realistic payloads include reverse shells, info‑stealers exfiltrating browser secrets and SSH keys, or droppers that pivot to additional persistence mechanisms."

CERT Polska identified Ollama for Windows versions 0.12.10 through 0.17.5 as vulnerable to the two updater flaws; Dmitruk also stated, "Any Ollama for Windows installation running version 0.12.10 through 0.22.0 is vulnerable," highlighting a broader affected range in his assessment.

What technologists, Ollama for Windows users, and enterprise IT should do

Technologists and security teams: apply the latest fixes for CVE-2026-7482 and the updater flaws as they become available, limit network exposure of Ollama instances, and place instances behind a firewall. The advisory also recommends deploying an authentication proxy or API gateway because the REST API does not provide authentication out of the box.

Ollama for Windows users and administrators: CERT Polska recommends turning off automatic updates and removing the Ollama shortcut from the Windows Startup folder ("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") to disable the silent on‑login execution pathway until fixes are installed.

Enterprise IT and procurement: audit running instances for internet exposure and isolate development or inference servers that host models or store sensitive inference outputs. The guidance in the disclosure stresses network isolation and review of default updater settings such as AutoUpdateEnabled.

Containment, disclosure timing, and immediate actions

The Bleeding Llama advisory and the Striga findings together show two distinct attack surfaces: a model‑loading path that can leak process memory remotely and an updater that can deliver persistent code execution locally on Windows. Until patched, defenders are advised to restrict network access to Ollama instances, remove startup shortcuts on Windows, disable automatic updates, and deploy authentication layers in front of exposed REST endpoints.

Both the memory‑leak vulnerability and the updater flaws point to operational risks where model artifacts, tool outputs, and environment secrets can be exposed or written into persistent locations. The coordinated disclosure process for the updater flaws was handled by CERT Polska after a 90‑day disclosure period; users should track vendor patches and apply them promptly.

Read the original reporting: https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html