CVE-2026-7482

Name of the Vulnerable Software and Affected Versions Ollama versions prior to 0.17.1

Description A heap out-of-bounds read exists in the GGUF model loader. An unauthenticated remote attacker can exploit this by providing a crafted GGUF file via the '/api/create' endpoint where the declared tensor offset and size exceed the actual file length. During quantization in fs/ggml/gguf.go and server/quantization.go within the WriteTo() function, the server reads past the allocated heap buffer. This occurs because the parser uses the Go unsafe package, bypassing standard bounds checking.

The leaked memory can include environment variables, API keys, OAuth tokens, system prompts, user prompts, and conversation data from concurrent users. This information can be exfiltrated by uploading the resulting model artifact through the '/api/push' endpoint to an attacker-controlled registry. It is estimated that approximately 300,000 servers are exposed to this issue globally, particularly those configured with OLLAMA HOST=0.0.0.0 without authentication.

Recommendations Update to version 0.17.1. Restrict network access by blocking TCP port 11434 at the perimeter or binding the service to 127.0.0.1. Rotate any credentials, API keys, or secrets that were present in the environment of an exposed instance. Use a reverse proxy with strong authentication for remote access instead of exposing the raw API. As a temporary mitigation, restrict access to the '/api/create' endpoint.