PT-2026-36799 · Ollama · Ollama
Published
2026-02-25
·
Updated
2026-06-30
·
CVE-2026-7482
CVSS v2.0
9.4
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Ollama versions prior to 0.17.1
Description
A heap out-of-bounds read issue exists in the GGUF model loader. An unauthenticated remote attacker can exploit this by providing a specially crafted GGUF file via the
/api/create endpoint where the declared tensor offset and size exceed the actual file length. During quantization in fs/ggml/gguf.go and server/quantization.go within the WriteTo() function, the server reads past the allocated heap buffer. This allows the exfiltration of sensitive process memory—including API keys, environment variables, system prompts, and conversation data from concurrent users—by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. Approximately 300,000 deployments are estimated to be exposed globally, particularly those using the OLLAMA HOST=0.0.0.0 configuration.Recommendations
Update to version 0.17.1 or later.
Restrict network access to the server and avoid exposing it directly to the public internet.
Implement a reverse proxy with authentication in front of the inference service.
Restrict GGUF uploads to trusted sources only.
Disable public model creation endpoints.
Rotate all secrets and API keys if the instance was exposed to the internet.
Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ollama