CVE-2024-39720

CVSS v4.0

8.8

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: Ollama versions prior to 0.1.46

Description: The issue is related to an out-of-bounds read vulnerability. It can be exploited by a remote attacker to cause a denial of service (segmentation fault) using a specially crafted file. An attacker can upload a malformed GGUF file and leverage a custom Modelfile to crash the application through the CreateModel route, leading to a segmentation fault. The vulnerability can be triggered through the "/api/create" endpoint.

Recommendations: For versions prior to 0.1.46, update to version 0.1.46 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/create" endpoint to minimize the risk of exploitation. Avoid using the CreateModel route with untrusted input until the issue is resolved.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

BDU:2024-11081

CVE-2024-39720

GHSA-95J2-W8X7-HM88

GO-2024-3245

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14452-1

OPENSUSE-SU-2024_3950-1

SUSE-SU-2024:3950-1

Affected Products

Ollama

Suse

CVE-2024-39720

Weakness Enumeration

Related Identifiers

Affected Products

References · 79