Ollama’s Critical CVE-2026-7482 Vulnerability Exposes Process Memory to Remote Attackers
Cybersecurity researchers have identified a significant vulnerability in Ollama, an open-source framework designed for running large language models (LLMs) locally. This flaw, tracked as CVE-2026-7482 and assigned a CVSS score of 9.1, could potentially allow remote, unauthenticated attackers to access the entire process memory of affected servers. The vulnerability, dubbed Bleeding Llama by Cyera, poses a serious threat to over 300,000 servers worldwide.
Understanding the Vulnerability
Ollama’s architecture facilitates the execution of LLMs without relying on cloud infrastructure. The framework has garnered considerable attention, with over 171,000 stars on GitHub and more than 16,100 forks. However, versions prior to 0.17.1 contain a critical heap out-of-bounds read vulnerability in the GGUF model loader. This issue arises when the /api/create endpoint processes an attacker-supplied GGUF file, where the declared tensor offset and size exceed the actual file length. During the quantization process, the server inadvertently reads beyond the allocated heap buffer.
GGUF, or GPT-Generated Unified Format, is a file format specifically designed for storing large language models, enabling efficient local execution. The vulnerability is rooted in Ollama’s use of the unsafe package, which allows operations that circumvent the memory safety guarantees inherent in the programming language.
Attack Scenarios and Data Exfiltration
In a potential attack scenario, a malicious actor could upload a specially crafted GGUF file to an exposed Ollama server. By manipulating the tensor’s shape to an excessively large value, the attacker could trigger the out-of-bounds read during model creation via the /api/create endpoint. Successful exploitation of this vulnerability could lead to the leakage of sensitive data from the Ollama process memory, including environment variables, API keys, system prompts, and user conversation data.
This sensitive information could be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to a server controlled by the attacker. The exploitation chain unfolds in three primary steps:
- Upload a crafted GGUF file with an inflated tensor shape to a network-accessible Ollama server using an HTTP POST request.
- Utilize the
/api/createendpoint to initiate model creation, triggering the out-of-bounds read vulnerability. - Leverage the
/api/pushendpoint to exfiltrate data from the heap memory to an external server.
According to Cyera security researcher Dor Attias, “An attacker can learn basically anything about the organization from your AI inference — API keys, proprietary code, customer contracts, and much more.”
Broader Implications for Users
The implications of this vulnerability extend beyond individual organizations. Many engineers integrate Ollama with tools like Claude Code, amplifying the potential impact. Outputs from these tools are stored in the Ollama server’s heap, increasing the risk of sensitive data exposure.
Users are strongly advised to implement the latest security patches, restrict network access, and audit running instances for internet exposure. Additionally, isolating and securing Ollama instances behind a firewall is recommended. Given that the REST API lacks built-in authentication, deploying an authentication proxy or API gateway is also advisable.
Unpatched Flaws Leading to Persistent Code Execution
In a related development, researchers at Striga have uncovered two vulnerabilities in Ollama’s Windows update mechanism that could be exploited for persistent code execution. These flaws, disclosed on January 27, 2026, remain unpatched after the conclusion of a 90-day disclosure period.
The vulnerabilities involve a missing signature verification and a path traversal issue. The Windows desktop client automatically starts on login from the Windows Startup folder, listens on 127.0.0.1:11434, and periodically polls for updates via the /api/update endpoint. This design allows an attacker to influence update responses and execute arbitrary code at every login.
The identified flaws are as follows:
- CVE-2026-42248 (CVSS score: 7.7) – A missing signature verification vulnerability that fails to validate the update binary before installation, unlike its macOS counterpart.
- CVE-2026-42249 (CVSS score: 7.7) – A path traversal vulnerability that arises from the Windows updater creating the local path for the installer’s staging directory directly from HTTP response headers without proper sanitization.
To exploit these vulnerabilities, an attacker must control an update server accessible to the victim’s Ollama client. This could result in an arbitrary executable being supplied as part of the update process and written to the Windows Startup folder without triggering signature checks.
Recommendations for Users
To mitigate risks associated with these vulnerabilities, users are advised to disable automatic updates and remove any existing Ollama shortcuts from the Startup folder. According to Bartłomiej “Bartek” Dmitruk, co-founder of Striga, “Any Ollama for Windows installation running version 0.12.10 through 0.22.0 is vulnerable.” The combination of path traversal and missing signature verification allows attackers to place executables in the Windows Startup folder, leading to persistent code execution.
The potential consequences of these vulnerabilities are severe, enabling attackers to execute arbitrary code at the privilege level of the user running Ollama. Realistic payloads could include reverse shells, information stealers exfiltrating sensitive data, or droppers that establish additional persistence mechanisms.
For organizations utilizing Ollama, immediate action is essential to secure their systems against these vulnerabilities. Regular audits, timely updates, and robust security practices are critical to safeguarding sensitive information.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
