Cybersecurity researchers have disclosed a essential security vulnerability in Ollama that, if efficiently exploited, may permit a distant, unauthenticated attacker to leak its complete course of reminiscence.
The out-of-bounds learn flaw, which probably impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS rating: 9.1). It has been codenamed Bleeding Llama by Cyera.
Ollama is a well-liked open-source framework that permits massive language fashions (LLMs) to be run domestically as an alternative of on the cloud. On GitHub, the mission has greater than 171,000 stars and has been forked over 16,100 occasions.
“Ollama earlier than 0.17.1 incorporates a heap out-of-bounds learn vulnerability within the GGUF mannequin loader,” based on an outline of the flaw in CVE.org. “The /api/create endpoint accepts an attacker-supplied GGUF file through which the declared tensor offset and dimension exceed the file’s precise size; throughout quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads previous the allotted heap buffer.”
GGUF, quick for GPT-Generated Unified Format, is a file format that is used to retailer massive language fashions in order that they are often simply loaded and executed domestically.
The issue, at its core, stems from Ollama’s use of the unsafe bundle when making a mannequin from a GGUF file, particularly in a perform named “WriteTo(),” thereby making it doable to execute operations that bypass the reminiscence security ensures of the programming language.
In a hypothetical assault state of affairs, a foul actor can ship a specifically crafted GGUF file to an uncovered Ollama server with the tensor’s form set to a really massive quantity to set off the out-of-bounds heap learn throughout mannequin creation utilizing the /api/create endpoint. Profitable exploitation of the vulnerability may leak delicate knowledge from the Ollama course of reminiscence.
This may occasionally embrace setting variables, API keys, system prompts, and concurrent customers’ dialog knowledge. This knowledge could be exfiltrated by importing the ensuing mannequin artifact via the /api/push endpoint to an attacker-controlled registry.
The exploitation chain unfolds over three steps –
- Add a crafted GGUF file with an inflated tensor form to a network-accessible Ollama server utilizing an HTTP POST request.
- Use the /api/create endpoint to activate mannequin creation, firing the out-of-bounds learn vulnerability.
- Use the /api/push endpoint to exfiltrate knowledge from the heap reminiscence to an exterior server.
“An attacker can be taught mainly something in regards to the group out of your AI inference — API keys, proprietary code, buyer contracts, and way more,” Cyera security researcher Dor Attias stated.
“On high of that, engineers usually join Ollama to instruments like Claude Code. In these instances, the affect is even increased — all software outputs circulate to the Ollama server, get saved within the heap, and probably find yourself in an attacker’s fingers.”
Customers are suggested to use the newest fixes, restrict community entry, audit operating situations for web publicity, and isolate and safe them behind a firewall. It is also really helpful to deploy an authentication proxy or API gateway in entrance of all Ollama situations, because the REST API doesn’t present authentication out of the field.
Two Unpatched Flaws in Ollama Result in Persistent Code Execution
The event comes as researchers at Striga detailed two vulnerabilities in Ollama’s Home windows replace mechanism that may be chained into persistent code execution. The shortcomings stay unpatched following disclosure on January 27, 2026, and have been revealed following the elapse of a 90-day disclosure interval.
In accordance with Bartłomiej “Bartek” Dmitruk, co-founder of Striga, the Home windows desktop shopper auto-starts on login from the Home windows Startup folder, listens on 127.0.0[.]1:11434, and periodically polls for updates within the background through the /api/replace endpoint to run any pending updates on the subsequent app begin.
The recognized vulnerabilities relate to a path traversal and a lacking signature test that, when mixed with the on-login routine, can allow an attacker with the flexibility to affect replace responses to execute arbitrary code at each login. The issues are listed beneath –
- CVE-2026-42248 (CVSS rating: 7.7) – A lacking signature verification vulnerability that doesn’t confirm the replace binary previous to set up, in contrast to its macOS model.
- CVE-2026-42249 (CVSS rating: 7.7) – A path traversal vulnerability that stems from the truth that the Home windows updater creates the native path for the installer’s staging listing straight from HTTP response headers with out sanitizing it.
To use the issues, the attacker must be answerable for an replace server that is reachable by the sufferer’s Ollama shopper.In such a scenario, it may result in a state of affairs the place an arbitrary executable is equipped as a part of the replace course of and will get written to the Home windows Startup folder with out elevating any signature test points.
To have the ability to management the replace response, one strategy includes overriding the OLLAMA_UPDATE_URL to level the shopper at an area server on plain HTTP. The assault chain additionally assumes AutoUpdateEnabled is on, which is the default setting.
What’s extra, the lacking integrity test can result in code execution by itself with out the necessity for exploiting the trail traversal vulnerability. On this case, the installer is dropped into the anticipated staging listing. Throughout the subsequent launch from the Startup folder, the replace course of is invoked with out re-verifying the signature, inflicting the attacker’s code to be executed as an alternative.
That being stated, the distant code execution is just not persistent, as the subsequent respectable replace overwrites the staged file. By including the trail traversal to the combination, a foul actor can redirect the executable to be written exterior the standard path and obtain persistent code execution.
In accordance with CERT Polska, which took over the coordinated disclosure course of, Ollama for Home windows variations 0.12.10 via 0.17.5 are susceptible to the 2 flaws. Within the interim, customers are really helpful to show off automated updates and take away any present Ollama shortcut from the Startup folder (“%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup”) to disable the silent on-login execution pathway.
“Any Ollama for Home windows set up operating model 0.12.10 via 0.22.0 is susceptible,” Dmitruk stated. “The trail traversal writes attacker-chosen executables into the Home windows Startup folder. The lacking signature verification retains them there: the post-write cleanup that may take away unsigned recordsdata on a working updater is a no-op on Home windows. On the subsequent login, Home windows runs no matter was left behind.”
“The chain produces persistent, silent code execution on the privilege stage of the consumer operating Ollama. Reasonable payloads embrace reverse shells, info-stealers exfiltrating browser secrets and techniques and SSH keys, or droppers that pivot to extra persistence mechanisms. Something that runs as the present consumer. Eradicating the dropped binary from the Startup folder ends the persistence, however the underlying flaws stay.”
