Critical Ollama GGUF Loader Vulnerability Exposes Sensitive Process Memory to Remote Attackers
- May 11
- 3 min read
Key Findings
CVE-2026-7482 (CVSS 9.1) affects Ollama versions before 0.17.1, impacting an estimated 300,000+ servers globally
Out-of-bounds read in GGUF model loader allows unauthenticated remote attackers to leak entire process memory
Vulnerability enables exfiltration of API keys, environment variables, system prompts, and user conversation data
Two additional Windows update flaws (CVE-2026-42248 and CVE-2026-42249) enable persistent code execution but remain unpatched
Ollama is widely deployed with 171,000+ GitHub stars and has become a popular framework for running LLMs locally
Background
Ollama is an open-source framework that enables large language models to run locally on user machines rather than relying on cloud-based services. The project has gained significant traction in the development community with over 171,000 stars on GitHub and more than 16,100 forks. GGUF, which stands for GPT-Generated Unified Format, is the standard file format Ollama uses to store and load language models locally, similar to formats like PyTorch and safetensors.
The Vulnerability - CVE-2026-7482
The flaw exists in Ollama's GGUF model loader component, specifically in functions within fs/ggml/gguf.go and server/quantization.go. When processing a GGUF file through the /api/create endpoint, the vulnerability occurs during model quantization in the WriteTo() function. The issue stems from improper use of Go's unsafe package, which bypasses the language's memory safety guarantees. An attacker can craft a malicious GGUF file with artificially inflated tensor offset and size values that exceed the actual file length, causing the server to read past the allocated heap buffer.
Attack Mechanics
Exploitation requires three coordinated steps. First, an attacker uploads a specially crafted GGUF file with an inflated tensor shape to an exposed Ollama server using an HTTP POST request. Next, they trigger model creation via the /api/create endpoint, which activates the out-of-bounds read and causes sensitive data to be loaded into heap memory. Finally, the attacker exfiltrates this data by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry.
Data Exposure Risks
The out-of-bounds read can leak highly sensitive information from the Ollama process memory. This includes environment variables, API keys, system prompts, and conversation data from concurrent users. The impact is particularly severe when Ollama is integrated with other tools like Claude Code, where all tool outputs flow through the server and can be compromised. As Cyera researcher Dor Attias noted, attackers could access proprietary code, customer contracts, and other organizational secrets stored in the AI inference pipeline.
Windows Update Vulnerabilities
Two separate flaws in Ollama's Windows update mechanism remain unpatched as of the 90-day disclosure deadline. CVE-2026-42248 involves missing signature verification on update binaries before installation, unlike the macOS version which properly validates updates. CVE-2026-42249 is a path traversal vulnerability where the updater creates staging directories directly from unsanitized HTTP response headers. The Windows desktop client auto-starts on login and periodically polls for updates, allowing attackers who control an update server to inject arbitrary executables that execute at every login.
Recommended Mitigations
Organizations should immediately update to Ollama 0.17.1 or later. Network access to Ollama instances should be restricted and existing deployments audited for internet exposure. All instances should be isolated behind firewalls and protected with authentication proxies or API gateways, since Ollama's REST API lacks built-in authentication. Organizations running Windows clients should be aware that the update mechanism flaws remain unpatched and warrant additional security controls until fixes are released.
Sources
https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html
https://www.threads.com/@harboot/post/DYKQiw3lFHy/a-critical-out-of-bounds-read-vulnerability-in-ollama-gguf-loader-cve-allows/
https://x.com/TheCyberSecHub/status/2053456826382115217
https://x.com/TweetThreatNews/status/2053471388522996004
https://www.linkedin.com/posts/cybercureme_ollama-out-of-bounds-read-vulnerability-allows-activity-7459222366422937600-umpE

Comments