Cybersecurity experts have revealed a critical security vulnerability in Ollama that could potentially allow a remote attacker to access its entire process memory without authentication.
This out-of-bounds read flaw, affecting more than 300,000 servers worldwide, is identified as CVE-2026-7482 (CVSS score: 9.1) and has been named Bleeding Llama by Cyera.
Ollama is a widely used open-source framework that enables large language models (LLMs) to run locally rather than on the cloud. The project has gained significant popularity on GitHub with over 171,000 stars and 16,100 forks.
“Ollama prior to 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader,” as described on CVE.org. “The /api/create endpoint accepts a GGUF file from an attacker where the declared tensor offset and size exceed the file’s actual length, leading to reading beyond the allocated heap buffer during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()).”
GGUF, or GPT-Generated Unified Format, is a file format used to store large language models for easy local loading and execution.
The vulnerability arises from Ollama’s utilization of the unsafe package in creating a model from a GGUF file, particularly in the “WriteTo()” function, allowing operations to bypass the language’s memory safety guarantees.
In a potential attack, a malicious actor could send a crafted GGUF file with an inflated tensor shape to an exposed Ollama server, triggering an out-of-bounds heap read during model creation via the /api/create endpoint. Successful exploitation could result in sensitive data leakage from Ollama’s process memory.
This leaked data may include environment variables, API keys, system prompts, and user conversation data. The exfiltration of this data can be achieved by uploading the model artifact through the /api/push endpoint to a registry controlled by the attacker.
The exploitation process involves three steps:
- Upload a crafted GGUF file with an inflated tensor shape to an accessible Ollama server via an HTTP POST request.
- Utilize the /api/create endpoint to trigger model creation and exploit the out-of-bounds read vulnerability.
- Use the /api/push endpoint to extract data from the heap memory to an external server.
“An attacker could potentially gain access to sensitive organizational information from your AI inference, including API keys, proprietary code, and customer contracts,” stated Cyera security researcher Dor Attias.
“Moreover, engineers often connect Ollama to tools like Claude Code, amplifying the impact as all tool outputs are stored in the heap and can potentially be accessed by an attacker.”
Users are urged to apply the latest patches, restrict network access, monitor instances for online exposure, and secure them behind a firewall. Implementing an authentication proxy or API gateway in front of Ollama instances is recommended as the REST API lacks built-in authentication.
Two Unresolved Vulnerabilities in Ollama Result in Persistent Code Execution
Simultaneously, Striga researchers have disclosed two vulnerabilities in Ollama’s Windows update mechanism that can be combined to achieve persistent code execution. These vulnerabilities remain unaddressed since their disclosure on January 27, 2026, following a 90-day disclosure period.
As per BartÅ‚omiej “Bartek” Dmitruk, co-founder of Striga, the Windows desktop client auto-launches on login from the Windows Startup folder, listens on 127.0.0[.]1:11434, and periodically checks for updates through the /api/update endpoint to execute pending updates on the next app startup.
The identified vulnerabilities pertain to a path traversal issue and a lack of signature verification which, when combined with the on-login routine, enable an attacker to execute arbitrary code during each login. The vulnerabilities are outlined below:
- CVE-2026-42248 (CVSS score: 7.7) – A signature verification omission that does not authenticate the update binary before installation, unlike the macOS version.
- CVE-2026-42249 (CVSS score: 7.7) – A path traversal vulnerability arising from the Windows updater creating the local path for the installer’s staging directory directly from HTTP response headers without proper validation.
To exploit these vulnerabilities, an attacker must control an update server accessible to the victim’s Ollama client. This could lead to scenarios where arbitrary executables are included in the update process and written to the Windows Startup folder without triggering signature checks.
By overriding the OLLAMA_UPDATE_URL to direct the client to a local server via plain HTTP, attackers can manipulate the update response. The attack assumes AutoUpdateEnabled is enabled by default.
The absence of integrity checks can independently result in code execution without the need to exploit the path traversal vulnerability. In such cases, the installer is placed in the expected staging directory, and upon the next launch from the Startup folder, the update process commences without revalidating the signature, enabling the execution of the attacker’s code.
However, the remote code execution lacks persistence as the subsequent legitimate update overwrites the staged file. When combined with path traversal, an attacker can redirect the executable outside the usual path for enduring code execution.
CERT Polska, which has taken over the coordinated disclosure process, notes that Ollama versions 0.12.10 through 0.17.5 for Windows are vulnerable to these flaws. As a temporary measure, users are advised to disable automatic updates and remove any existing Ollama shortcuts from the Startup folder to prevent silent execution upon login.
“Any Ollama for Windows installation running version 0.12.10 through 0.22.0 is vulnerable,” Dmitruk emphasized. “The path traversal writes attacker-chosen executables into the Windows Startup folder. The missing signature verification allows them to remain there, executing upon the next login. Realistic payloads include reverse shells, info-stealers, or droppers for additional persistence mechanisms.”
