CVE-2026-42249
published 2026-04-29CVE-2026-42249: Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.63%
45.4th percentile
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.
An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.
Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.
Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ollama | ollama | 0.12.10 – 0.17.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for new executable files written to the Windows Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) by the Ollama process, which may indicate successful path traversal exploitation. ↗
- →Detect path traversal sequences (../) in HTTP response headers consumed by the Ollama updater; the application passes header-derived values directly to filepath.Join without sanitization. ↗
- →Alert on the OLLAMA_UPDATE_URL environment variable being set to a non-default or plain HTTP value, which an attacker would use to redirect the client to a malicious update server. ↗
- →Monitor Ollama process spawning child processes or writing binaries outside its expected staging directory, particularly into user Startup folders, as an indicator of exploitation. ↗
- →Flag Ollama Windows installations running versions 0.12.10 through 0.17.5 (confirmed vulnerable) or up to 0.22.0 (per researcher statement) for prioritized patching and monitoring. ↗
- ·The attack chain requires AutoUpdateEnabled to be on, which is the default setting; disabling automatic updates mitigates exploitation. ↗
- ·Without chaining with CVE-2026-42248 (missing signature verification), path traversal-based persistence is not achieved; the missing signature check alone can also lead to code execution without path traversal. ↗
- ·Without the path traversal (CVE-2026-42249), RCE via CVE-2026-42248 alone is not persistent because the next legitimate update overwrites the staged file. ↗
- ·The attacker must be able to control or intercept the update server reachable by the victim's Ollama client for exploitation to succeed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7mp6-jmch-f3fh: Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP respons
ghsa_unreviewed·2026-04-29
CVE-2026-42249 [HIGH] CWE-22 GHSA-7mp6-jmch-f3fh: Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP respons
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.
An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.
Critically, when chained with CVE‑2026‑42248 (Missing Signature Verificat
VulDB
Ollama up to 0.17.5 on Windows Update code download (EUVD-2026-26211)
vuldb·2026-04-29·CVSS 7.7
CVE-2026-42249 [HIGH] Ollama up to 0.17.5 on Windows Update code download (EUVD-2026-26211)
A vulnerability, which was classified as problematic, has been found in Ollama up to 0.17.5 on Windows. This affects an unknown function of the component Update Handler. The manipulation leads to download of code without integrity check.
This vulnerability is uniquely identified as CVE-2026-42249. The attack is possible to be carried out remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
blogs_hackernews·2026-05-10·CVSS 8.8
CVE-2026-7482 [HIGH] Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory.
The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera.
Ollama is a popular open-source framework that allows large language models (LLMs) to be run locally instead of on the cloud. On GitHub, the project has more than 171,000 stars and h
2026-04-29
Published