CVE-2026-7482
Ollama heap out-of-bounds read in GGUF tensor parsing leaks server process memory to unauthenticated remote attackers
Description
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).
INFO
Published Date :
May 4, 2026, 1:16 p.m.
Last Modified :
May 5, 2026, 7:35 p.m.
Remotely Exploit :
Yes !
Source :
abd028dc-c042-4c4d-9749-38d0f850af89
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | abd028dc-c042-4c4d-9749-38d0f850af89 | ||||
| CVSS 4.0 | HIGH | abd028dc-c042-4c4d-9749-38d0f850af89 | ||||
| CVSS 4.0 | HIGH | abd028dc-c042-4c4d-9749-38d0f850af89 |
Solution
- Update Ollama to 0.17.1 or later.
- Restrict access to /api/create and /api/push endpoints.
- Do not use default 0.0.0.0 binding for Ollama.
Public PoC/Exploit Available at Github
CVE-2026-7482 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-7482.
| URL | Resource |
|---|---|
| https://github.com/ollama/ollama/commit/88d57d0483cca907e0b23a968c83627a20b21047 | |
| https://github.com/ollama/ollama/pull/14406 | |
| https://github.com/ollama/ollama/releases/tag/v0.17.1 |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-7482 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-7482
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Ollama CVE-2026-7482 Heap OOB read reproduction and black-box impact notes
Python
1day vuln research I guess
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-7482 vulnerability anywhere in the article.
-
The Hacker News
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. ... Read more
-
CybersecurityNews
Critical Ollama Memory Leak Vulnerability Exposes 300,000 Servers Globally
A major security flaw has placed Ollama, one of the most widely used platforms for running local AI models, at risk of a high-profile exposure event. The issue, dubbed “Bleeding Llama,” allows unauthe ... Read more
The following table lists the changes that have been made to the
CVE-2026-7482 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by abd028dc-c042-4c4d-9749-38d0f850af89
May. 04, 2026
Action Type Old Value New Value Added Description Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed). Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Added CWE CWE-125 Added Reference https://github.com/ollama/ollama/commit/88d57d0483cca907e0b23a968c83627a20b21047 Added Reference https://github.com/ollama/ollama/pull/14406 Added Reference https://github.com/ollama/ollama/releases/tag/v0.17.1