PT-2026-36799 · Ollama · Ollama

Published

2026-02-25

·

Updated

2026-06-30

·

CVE-2026-7482

CVSS v2.0

9.4

Critical

VectorAV:N/AC:L/Au:N/C:C/I:N/A:C
Name of the Vulnerable Software and Affected Versions Ollama versions prior to 0.17.1
Description A heap out-of-bounds read issue exists in the GGUF model loader. An unauthenticated remote attacker can exploit this by providing a specially crafted GGUF file via the /api/create endpoint where the declared tensor offset and size exceed the actual file length. During quantization in fs/ggml/gguf.go and server/quantization.go within the WriteTo() function, the server reads past the allocated heap buffer. This allows the exfiltration of sensitive process memory—including API keys, environment variables, system prompts, and conversation data from concurrent users—by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. Approximately 300,000 deployments are estimated to be exposed globally, particularly those using the OLLAMA HOST=0.0.0.0 configuration.
Recommendations Update to version 0.17.1 or later. Restrict network access to the server and avoid exposing it directly to the public internet. Implement a reverse proxy with authentication in front of the inference service. Restrict GGUF uploads to trusted sources only. Disable public model creation endpoints. Rotate all secrets and API keys if the instance was exposed to the internet.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08028
CVE-2026-7482
GHSA-X8QC-FGGM-MPQG

Affected Products

Ollama