Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Critical Security Vulnerability in Ollama 🚨
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera.
Ollama is a popular open-source framework that allows large language models (LLMs) to be run locally instead of on the cloud. According to a description of the flaw in CVE.org, “Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader.” The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file’s actual length; during quantization, the server reads past the allocated heap buffer.
Hypothetical Attack Scenario 🔍
In a hypothetical attack scenario, a bad actor can send a specially crafted GGUF file to an exposed Ollama server with the tensor’s shape set to a very large number to trigger the out-of-bounds heap read during model creation using the /api/create endpoint. Successful exploitation of the vulnerability could leak sensitive data from the Ollama process memory, including environment variables, API keys, system prompts, and concurrent users’ conversation data. This data can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry.
“An attacker can learn basically anything about the organization from your AI inference – API keys, proprietary code, customer contracts, and much more,” Cyera security researcher Dor Attias said. Users are advised to apply the latest fixes, limit network access, audit running instances for internet exposure, and isolate and secure them behind a firewall. It’s also recommended to deploy an authentication proxy or API gateway in front of all Ollama instances, as the REST API does not provide authentication out of the box.
Additional Vulnerabilities 🛡️
Additionally, researchers at Striga detailed two unpatched vulnerabilities in Ollama’s Windows update mechanism that can be chained into persistent code execution. The shortcomings remain unpatched following disclosure on January 27, 2026, and have been published following the elapse of a 90-day disclosure period. The identified vulnerabilities relate to a path traversal and a missing signature check:
- CVE-2026-42248 (CVSS score: 7.7) is a missing signature verification vulnerability that does not verify the update binary prior to installation, unlike its macOS version.
- CVE-2026-42249 (CVSS score: 7.7) is a path traversal vulnerability that stems from the fact that the Windows updater creates the local path for the installer’s staging directory directly from HTTP response headers without sanitizing it.
To exploit the flaws, the attacker needs to be in control of an update server that’s reachable by the victim’s Ollama client. In such a situation, it could lead to a scenario where an arbitrary executable is supplied as part of the update process and gets written to the Windows Startup folder without raising any signature check issues.
“The path traversal writes attacker-chosen executables into the Windows Startup folder. The missing signature verification keeps them there: the post-write cleanup that would remove unsigned files on a working updater is a no-op on Windows. On the next login, Windows runs whatever was left behind,” Bartłomiej “Bartek” Dmitruk said. He further stated, “The chain produces persistent, silent code execution at the privilege level of the user running Ollama.” Ollama for Windows versions 0.12.10 through 0.22.0 are vulnerable. In the interim, users are recommended to turn off automatic updates and remove any existing Ollama shortcut from the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) to disable the silent on-login execution pathway.