Skip to main content

Ollama CVE-2026-7482

| EUVDEUVD-2026-26949 HIGH
Out-of-bounds Read (CWE-125)
2026-05-04 Echo GHSA-x8qc-fggm-mpqg
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
SUSE
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Red Hat
9.1 CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
May 04, 2026 - 13:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 04, 2026 - 13:22 vuln.today
cvss_changed
Severity Changed
May 04, 2026 - 13:22 NVD
CRITICAL HIGH
CVSS changed
May 04, 2026 - 13:22 NVD
9.1 (CRITICAL) 8.8 (HIGH)
Source Code Evidence Fetched
May 04, 2026 - 13:15 vuln.today
Analysis Generated
May 04, 2026 - 13:15 vuln.today
EUVD ID Assigned
May 04, 2026 - 13:00 euvd
EUVD-2026-26949
Analysis Generated
May 04, 2026 - 13:00 vuln.today
Patch released
May 04, 2026 - 13:00 nvd
Patch available
CVE Published
May 04, 2026 - 12:38 nvd
HIGH 8.8

DescriptionCVE.org

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

AnalysisAI

Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.

Technical ContextAI

Ollama is a model serving platform that loads machine learning models in GGUF (GPT-Generated Unified Format) container format. The vulnerability affects the GGUF decoder in fs/ggml/gguf.go and quantization logic in server/quantization.go. When processing tensor metadata during model import, the code reads tensor data from attacker-controlled offsets without validating that declared offset+size falls within file boundaries. CWE-125 (Out-of-bounds Read) occurs when the declared tensor offset and size exceed the actual file length, causing io.ReadSeeker operations to read uninitialized heap memory during WriteTo() calls. The leaked memory region may contain residual data from prior allocations including environment variables (OLLAMA_API_KEY, cloud credentials), system prompts from the model serving context, and conversation history from concurrent users sharing the same process space. The vulnerability chain spans two phases: first triggering the OOB read during /api/create processing, then exfiltrating the corrupted model artifact containing leaked memory through /api/push to an external registry under attacker control.

RemediationAI

Upgrade immediately to Ollama version 0.17.1 or later, which includes commit 88d57d0483cca907e0b23a968c83627a20b21047 adding file size validation and tensor bounds checking to the GGUF decoder. The patch modifies fs/ggml/gguf.go to validate tensorEnd (tensorOffset + tensor.Offset + tensor.Size) does not exceed file size before read operations, and adds size validation in server/quantization.go to reject undersized tensor data. Download the patched release from https://github.com/ollama/ollama/releases/tag/v0.17.1 and verify the fix via pull request https://github.com/ollama/ollama/pull/14406. For deployments that cannot immediately upgrade: restrict network binding to localhost only by removing OLLAMA_HOST=0.0.0.0 configuration and using default 127.0.0.1 binding (eliminates remote attack vector but does not fix the underlying memory safety issue-local attackers can still trigger OOB reads). Deploy a reverse proxy with authentication (nginx, Caddy, Traefik) in front of Ollama API endpoints to enforce access controls (adds authentication layer but introduces latency and operational complexity; does not prevent authenticated attackers from exploiting the heap read). Implement network-level restrictions allowing only trusted IP ranges to access ports 11434/tcp (default Ollama port) via firewall rules or security groups (reduces exposure but requires maintaining IP allowlists and breaks dynamic client scenarios). Monitor /api/create and /api/push endpoint access logs for unusual model upload patterns or large model artifacts being pushed to unexpected registries (detective control only-does not prevent exploitation). All workarounds are partial mitigations; upgrading to 0.17.1 is the only complete remediation.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-7482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy