cbcvebase.
CVE-2026-7482
published 2026-05-04

CVE-2026-7482: Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file…

PriorityP182critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.00%
58.5th percentile
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comollama_ollama>= 0 < 0.17.10.17.1
ollamaollama< 0.17.10.17.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/create
url/api/push
pathfs/ggml/gguf.go
pathserver/quantization.go
port11434
  • Monitor for HTTP POST requests to /api/create containing GGUF file uploads where declared tensor offset/size fields exceed the actual file length — this is the trigger for the out-of-bounds heap read.
  • Alert on HTTP POST requests to /api/push immediately following /api/create from the same source — this two-step sequence (create then push to external registry) is the exfiltration pattern for CVE-2026-7482.
  • Flag any Ollama instance bound to 0.0.0.0 (OLLAMA_HOST=0.0.0.0) as high-risk; unauthenticated /api/create and /api/push endpoints are directly reachable from the internet in this configuration.
  • Detect unauthenticated access to /api/create and /api/push — neither endpoint requires authentication in the upstream Ollama distribution, making any external-origin request to these endpoints suspicious.
  • Inspect GGUF files submitted to /api/create for tensor shape fields set to abnormally large numbers, which is the crafted payload characteristic used to trigger the heap over-read.
  • Look for the vulnerable code path WriteTo() in server/quantization.go as a static analysis or runtime tracing target; exploitation always passes through this function.
  • ·Default Ollama deployments bind only to localhost (127.0.0.1), significantly limiting remote exploitability; risk is critically elevated when OLLAMA_HOST is set to 0.0.0.0.
  • ·Neither /api/create nor /api/push implement authentication in the upstream Ollama distribution; any network-reachable instance is exploitable without credentials.
  • ·The vulnerability is fixed in Ollama 0.17.1; all prior versions are affected. Deployments should be audited and upgraded.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
vulncheck9.1CRITICAL
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.