CVE-2026-7482

CRITICAL

Ollama heap out-of-bounds read in GGUF tensor parsing leaks server process memory to unauthenticated remote attackers

Title source: cna
STIX 2.1

Description

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

Exploits (1)

nomisec FAILED
by 0x0OZ · poc
https://github.com/0x0OZ/CVE-2026-7482-PoC

References (3)

Core 3
Core References
Patch patch
ollama/ollama PR #14406 — ggml: ensure tensor size is valid (fix)
https://github.com/ollama/ollama/pull/14406
Release Notes release-notes
ollama v0.17.1 release notes
https://github.com/ollama/ollama/releases/tag/v0.17.1

Scores

CVSS v3 9.1
EPSS 0.0009
EPSS Percentile 25.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-125
Status published
Products (1)
ollama/ollama < 0.17.1
Published May 04, 2026
Tracked Since May 04, 2026