Description
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).
Published: 2026-05-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap out‑of‑bounds read triggered during GGUF model loading in Ollama. An attacker can supply a GGUF file in which the declared tensor offset and size surpass the actual file length. The server then reads past the allocated buffer, exposing arbitrary memory contents that may contain environment variables, API keys, system prompts, and conversation data of concurrent users. The leaked data can be exfiltrated by uploading the resulting model artifact through the unrestricted /api/push endpoint. This results in a remote information disclosure that can compromise secrets and user data.

Affected Systems

The flaw exists in Ollama prior to version 0.17.1, affecting all installations of the ollama:ollama product. Default deployments bind the service to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 setting is widely used, exposing the endpoints to the public Internet. Systems running any version earlier than 0.17.1 should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. The EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is unauthenticated remote access via the /api/create and /api/push endpoints, which have no built‑in authentication in upstream distributions. An attacker can craft a malicious GGUF file, trigger the vulnerable read, and recover sensitive memory contents before exfiltrating them through the push endpoint to an attacker-controlled registry. Because the attack does not require privileged access, the potential impact is felt by all users and components that the vulnerable server exposes.

Generated by OpenCVE AI on May 4, 2026 at 14:36 UTC.

Remediation

Vendor Solution

Upgrade to ollama 0.17.1 or later. The fix in PR #14406 validates that declared tensor offset+size do not exceed the GGUF file size before reading, and adds a length check in the quantizer prior to the unsafe read.

Vendor Workaround

Until upgrade is possible: (1) ensure Ollama is bound to a trusted interface only (default OLLAMA_HOST=127.0.0.1); (2) front Ollama with a reverse proxy that requires authentication on /api/create and /api/push; (3) restrict outbound network egress from the Ollama host to prevent exfiltration via /api/push to attacker-controlled registries.

OpenCVE Recommended Actions

  • Upgrade to Ollama 0.17.1 or later to apply the GGUF offset and size validation fix.
  • Configure OLLAMA_HOST to bind to localhost only (e.g., 127.0.0.1) or otherwise restrict the service to trusted networks.
  • Protect /api/create and /api/push with authentication by placing Ollama behind a reverse proxy that requires credentials for those endpoints.
  • Restrict outbound network egress from the Ollama host to prevent exfiltration via /api/push to attacker‑controlled registries.

Generated by OpenCVE AI on May 4, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ollama
Ollama ollama
Vendors & Products Ollama
Ollama ollama

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).
Title Ollama heap out-of-bounds read in GGUF tensor parsing leaks server process memory to unauthenticated remote attackers
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Red'}

Subscriptions

Ollama Ollama
cve-icon MITRE

Status: PUBLISHED

Assigner: Echo

Published:

Updated: 2026-05-04T13:48:39.686Z

Reserved: 2026-04-30T06:03:40.622Z

Link: CVE-2026-7482

cve-icon Vulnrichment

Updated: 2026-05-04T13:48:35.500Z

cve-icon NVD

Status : Received

Published: 2026-05-04T13:16:01.727

Modified: 2026-05-04T13:16:01.727

Link: CVE-2026-7482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T15:15:02Z

Weaknesses