Home

Description

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

PUBLISHED Reserved 2026-04-30 | Published 2026-05-04 | Updated 2026-05-04 | Assigner Echo




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Red

Problem types

CWE-125 Out-of-bounds Read

Product status

Default status
unaffected

Any version before 0.17.1
affected

Credits

Cyera Research Team (Dor Attias, Ofek Itach) finder

References

github.com/ollama/ollama/pull/14406 (ollama/ollama PR #14406 — ggml: ensure tensor size is valid (fix)) patch

github.com/...ommit/88d57d0483cca907e0b23a968c83627a20b21047 (Fix commit 88d57d0) patch

github.com/ollama/ollama/releases/tag/v0.17.1 (ollama v0.17.1 release notes) release-notes

cve.org (CVE-2026-7482)

nvd.nist.gov (CVE-2026-7482)

Download JSON