CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ollama process memory leakage via GGUF tensor parsing flaw disclosed

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical out-of-bounds read vulnerability in the Ollama framework (CVE-2026-7482, CVSS 9.1) enables remote, unauthenticated attackers to leak the entire process memory of exposed Ollama instances. The flaw resides in the GGUF model loader used by Ollama versions prior to 0.17.1 and stems from deficient bounds checking in the WriteTo() function during model quantization. Attackers can craft malicious GGUF files with exaggerated tensor offsets and sizes to trigger heap memory reads beyond allocated buffers when using the /api/create endpoint. Exploitation allows extraction of sensitive runtime data including environment variables, API keys, system prompts, and user conversations via the /api/push endpoint. Impacted deployments include over 300,000 globally exposed servers using Ollama for local LLM inference, with risk heightened when instances are connected to tools like Claude Code that process proprietary data. Users are advised to upgrade immediately, restrict network exposure, and implement authentication layers as the REST API lacks built-in access controls.

Timeline

  1. 10.05.2026 15:41 1 articles · 1h ago

    Ollama out-of-bounds read flaw (CVE-2026-7482) enables remote process memory leakage

    A heap out-of-bounds read in Ollama’s GGUF loader (versions < 0.17.1) allows remote, unauthenticated attackers to trigger unbounded heap reads during model creation via the /api/create endpoint. Exploitation chain involves uploading a maliciously crafted GGUF file, triggering memory leakage, and exfiltrating data through the /api/push endpoint. Successful attacks can reveal environment variables, API keys, system prompts, and user conversation content from the Ollama process heap. Impact scope spans over 300,000 globally exposed instances using Ollama for local LLM inference.

    Show sources
    Open in new tab

Information Snippets

  • The vulnerability (CVE-2026-7482, CVSS score 9.1) is an out-of-bounds read in Ollama's GGUF model loader affecting versions before 0.17.1, specifically in the WriteTo() function during quantization in fs/ggml/gguf.go and server/quantization.go.

    First reported: 10.05.2026 15:41
    1 source, 1 article
    Show sources

  • Exploitation requires sending a crafted GGUF file with inflated tensor shape to the /api/create endpoint, triggering a heap read past buffer limits, and subsequently using /api/push to exfiltrate leaked memory contents to an attacker-controlled registry.

    First reported: 10.05.2026 15:41
    1 source, 1 article
    Show sources

  • Impacted data includes environment variables, API keys, system prompts, and concurrent user conversation data processed by the Ollama instance, with potential exposure of proprietary code and customer contracts when integrated with developer tools.

    First reported: 10.05.2026 15:41
    1 source, 1 article
    Show sources

  • Two additional vulnerabilities in Ollama for Windows enable persistent remote code execution via a flawed update mechanism (CVE-2026-42248 and CVE-2026-42249, CVSS 7.7 each) affecting versions 0.12.10 through 0.22.0.

    First reported: 10.05.2026 15:41
    1 source, 1 article
    Show sources

  • The Windows updater lacks signature verification and is vulnerable to path traversal, allowing an attacker controlling an update server to write arbitrary executables into the Windows Startup folder, achieving silent, persistent code execution at user privilege level.

    First reported: 10.05.2026 15:41
    1 source, 1 article
    Show sources