Cybersecurity experts have identified a severe vulnerability in Ollama, which poses a significant threat to remote servers. This critical flaw allows unauthenticated attackers to access and leak the entire memory of processes running on compromised systems.
The vulnerability, classified as an out-of-bounds read issue, affects more than 300,000 servers worldwide and is designated as CVE-2026-7482, with a high CVSS score of 9.1. The cybersecurity firm Cyera has dubbed this vulnerability Bleeding Llama, highlighting its potential severity.
Ollama is widely used as an open-source platform that facilitates the execution of large language models (LLMs) locally rather than through cloud-based solutions. Currently, it boasts over 171,000 stars on GitHub and has been forked more than 16,100 times, signifying its importance in the tech community.
“Versions of Ollama prior to 0.17.1 exhibit a critical heap out-of-bounds read vulnerability within the GGUF model loader,” the CVE description specifies. The vulnerability occurs at the /api/create endpoint, where an attacker can upload a malicious GGUF file containing a declared tensor offset and size that exceeds the file’s actual length, leading the server to read beyond allocated memory boundaries.
The GGUF (GPT-Generated Unified Format) is designed to facilitate the storage and loading of LLMs. It functions similarly to other prominent formats such as PyTorch’s .pt/.pth, safetensors, and ONNX, which are utilized for model management. The root cause of the issue lies in Ollama’s reliance on the unsafe package when managing GGUF files, particularly within a function named “WriteTo(),” enabling operations that circumvent the memory safety promises inherent in the programming language.
In a potential attack scenario, a malicious user could target an exposed Ollama server by sending a specially crafted GGUF file with an inflated tensor shape, triggering the out-of-bounds memory read during the model creation process. This exploitation could compromise sensitive data, including environment variables, API keys, and user conversations, which could subsequently be exfiltrated by uploading the model artifact through the /api/push endpoint to a server controlled by the attacker.
The exploitation process occurs in three main stages: first, the attacker uploads a crafted GGUF file to the server; second, they invoke the /api/create endpoint to trigger the vulnerability; finally, they utilize the /api/push endpoint to extract sensitive data from the compromised memory to their external server. Cyera’s research indicates that an attacker could harvest critical insights about an organization’s infrastructure and proprietary assets, intensifying the threat landscape.
In light of these vulnerabilities, users are urged to implement the latest patches, restrict network access to Ollama instances, and secure them behind robust firewalls. Introducing an authentication proxy or API gateway is advisable as the current REST API does not include default authentication measures.
Additional Risks: Unpatched Flaws in Ollama’s Windows Update Mechanism
Furthermore, Striga researchers have reported two unpatched vulnerabilities within Ollama’s Windows auto-update functionality that could facilitate persistent code execution. Despite being disclosed on January 27, 2026, these flaws remain unresolved. They relate to path traversal and missing signature checks in the update process, creating a dangerous vulnerability vector for attackers.
The vulnerabilities identified include CVE-2026-42248, a missing signature verification flaw, and CVE-2026-42249, a path traversal issue, both scored at a CVSS of 7.7. An attacker controlling the update server can exploit these flaws, executing arbitrary code every time a user logs in. Striga’s co-founder, Bartłomiej “Bartek” Dmitruk, confirmed that instances of the Windows desktop client from versions 0.12.10 through 0.17.5 are at risk.
Users are advised to disable auto-updates and remove any existing Ollama shortcuts from the Windows Startup folder to mitigate the risk of silent code execution during login. The combination of these flaws underscores the potential for malicious actors to maintain persistence and execute code with the same privileges as the user operating Ollama, posing serious risks for organizations.
Overall, these vulnerabilities highlight the critical need for enhanced cybersecurity practices, particularly for software platforms with extensive user bases. As the implications of such flaws continue to evolve, vigilance and proactive measures are paramount in safeguarding sensitive information against potential exploits.