CVE-2026-7482
published 2026-05-04CVE-2026-7482: Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file…
PriorityP182critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.00%
58.5th percentile
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ollama_ollama | >= 0 < 0.17.1 | 0.17.1 |
| ollama | ollama | < 0.17.1 | 0.17.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to /api/create containing GGUF file uploads where declared tensor offset/size fields exceed the actual file length — this is the trigger for the out-of-bounds heap read. ↗
- →Alert on HTTP POST requests to /api/push immediately following /api/create from the same source — this two-step sequence (create then push to external registry) is the exfiltration pattern for CVE-2026-7482. ↗
- →Flag any Ollama instance bound to 0.0.0.0 (OLLAMA_HOST=0.0.0.0) as high-risk; unauthenticated /api/create and /api/push endpoints are directly reachable from the internet in this configuration. ↗
- →Detect unauthenticated access to /api/create and /api/push — neither endpoint requires authentication in the upstream Ollama distribution, making any external-origin request to these endpoints suspicious. ↗
- →Inspect GGUF files submitted to /api/create for tensor shape fields set to abnormally large numbers, which is the crafted payload characteristic used to trigger the heap over-read. ↗
- →Look for the vulnerable code path WriteTo() in server/quantization.go as a static analysis or runtime tracing target; exploitation always passes through this function. ↗
- ·Default Ollama deployments bind only to localhost (127.0.0.1), significantly limiting remote exploitability; risk is critically elevated when OLLAMA_HOST is set to 0.0.0.0. ↗
- ·Neither /api/create nor /api/push implement authentication in the upstream Ollama distribution; any network-reachable instance is exploitable without credentials. ↗
- ·The vulnerability is fixed in Ollama 0.17.1; all prior versions are affected. Deployments should be audited and upgraded. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
vulncheck9.1CRITICAL
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x8qc-fggm-mpqg: Ollama before 0
ghsa_unreviewed·2026-05-04
CVE-2026-7482 [HIGH] CWE-125 GHSA-x8qc-fggm-mpqg: Ollama before 0
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 co
GHSA
Ollama contains a heap out-of-bounds read vulnerability in the GGUF model loader
ghsa·2026-05-04
CVE-2026-7482 [HIGH] CWE-125 Ollama contains a heap out-of-bounds read vulnerability in the GGUF model loader
Ollama contains a heap out-of-bounds read vulnerability in the GGUF model loader
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution
VulnCheck
ollama ollama Out-of-bounds Read
vulncheck·2026·CVSS 9.1
CVE-2026-7482 [CRITICAL] ollama ollama Out-of-bounds Read
ollama ollama Out-of-bounds Read
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the
Red Hat
github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader
vendor_redhat·2026-05-04·CVSS 8.8
CVE-2026-7482 [HIGH] CWE-125 github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader
github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader
A flaw was found in Ollama. A remote attacker can exploit a heap out-of-bounds read vulnerability in the GGUF model loader by providing a specially crafted GGUF (GGML Unified Format) file to the /api/create endpoint. This allows the attacker to read beyond the allocated memory buffer, potentially disclosing sensitive information such as environment variables, API keys, system prompts, and user conversation data. The leaked data can then be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. Both /api/create and /api/push endpoints lack authentication in the upstream distribution, increasing the risk of exploi
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7482 python-ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader [fedora-all]
bugzilla·2026-05-12·CVSS 8.8
CVE-2026-7482 [HIGH] CVE-2026-7482 python-ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader [fedora-all]
CVE-2026-7482 python-ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-7482 ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader [fedora-all]
bugzilla·2026-05-12·CVSS 8.8
CVE-2026-7482 [HIGH] CVE-2026-7482 ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader [fedora-all]
CVE-2026-7482 ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-7482 github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader
bugzilla·2026-05-04·CVSS 8.8
CVE-2026-7482 [HIGH] CVE-2026-7482 github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader
CVE-2026-7482 github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
blogs_hackernews·2026-05-10·CVSS 8.8
CVE-2026-7482 [HIGH] Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory.
The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera.
Ollama is a popular open-source framework that allows large language models (LLMs) to be run locally instead of on the cloud. On GitHub, the project has more than 171,000 stars and h
2026-05-04
Published
Exploited in the wild