Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
Lifecycle Timeline
10DescriptionCVE.org
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).
AnalysisAI
Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.
Technical ContextAI
Ollama is a model serving platform that loads machine learning models in GGUF (GPT-Generated Unified Format) container format. The vulnerability affects the GGUF decoder in fs/ggml/gguf.go and quantization logic in server/quantization.go. When processing tensor metadata during model import, the code reads tensor data from attacker-controlled offsets without validating that declared offset+size falls within file boundaries. CWE-125 (Out-of-bounds Read) occurs when the declared tensor offset and size exceed the actual file length, causing io.ReadSeeker operations to read uninitialized heap memory during WriteTo() calls. The leaked memory region may contain residual data from prior allocations including environment variables (OLLAMA_API_KEY, cloud credentials), system prompts from the model serving context, and conversation history from concurrent users sharing the same process space. The vulnerability chain spans two phases: first triggering the OOB read during /api/create processing, then exfiltrating the corrupted model artifact containing leaked memory through /api/push to an external registry under attacker control.
RemediationAI
Upgrade immediately to Ollama version 0.17.1 or later, which includes commit 88d57d0483cca907e0b23a968c83627a20b21047 adding file size validation and tensor bounds checking to the GGUF decoder. The patch modifies fs/ggml/gguf.go to validate tensorEnd (tensorOffset + tensor.Offset + tensor.Size) does not exceed file size before read operations, and adds size validation in server/quantization.go to reject undersized tensor data. Download the patched release from https://github.com/ollama/ollama/releases/tag/v0.17.1 and verify the fix via pull request https://github.com/ollama/ollama/pull/14406. For deployments that cannot immediately upgrade: restrict network binding to localhost only by removing OLLAMA_HOST=0.0.0.0 configuration and using default 127.0.0.1 binding (eliminates remote attack vector but does not fix the underlying memory safety issue-local attackers can still trigger OOB reads). Deploy a reverse proxy with authentication (nginx, Caddy, Traefik) in front of Ollama API endpoints to enforce access controls (adds authentication layer but introduces latency and operational complexity; does not prevent authenticated attackers from exploiting the heap read). Implement network-level restrictions allowing only trusted IP ranges to access ports 11434/tcp (default Ollama port) via firewall rules or security groups (reduces exposure but requires maintaining IP allowlists and breaks dynamic client scenarios). Monitor /api/create and /api/push endpoint access logs for unusual model upload patterns or large model artifacts being pushed to unexpected registries (detective control only-does not prevent exploitation). All workarounds are partial mitigations; upgrading to 0.17.1 is the only complete remediation.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26949
GHSA-x8qc-fggm-mpqg