Ollama Vulnerability “Bleeding Llama” Allows Remote Memory Leak From Exposed Servers

Cybersecurity researchers have disclosed a critical security flaw in Ollama that could allow a remote, unauthenticated attacker to leak the entire process memory of vulnerable servers.

Tracked as CVE-2026-7482 with a CVSS score of 9.1, the vulnerability has been codenamed “Bleeding Llama” by Cyera.

Ollama is a widely used open-source framework that enables users to run large language models (LLMs) locally instead of relying on cloud infrastructure. The project currently has more than 171,000 GitHub stars and over 16,000 forks.

Critical Heap Out-of-Bounds Read in GGUF Model Loader

According to the vulnerability description published on CVE.org, the issue affects Ollama versions prior to 0.17.1 and originates from a heap out-of-bounds read vulnerability in the GGUF model loader.

“The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length.”

The flaw occurs during model quantization in:

  • fs/ggml/gguf.go
  • server/quantization.go (WriteTo())

This allows the server to read beyond the allocated heap buffer.

What Is GGUF?

GGUF (GPT-Generated Unified Format) is a file format used for storing large language models so they can be loaded and executed efficiently on local systems.

Researchers found that Ollama’s use of Go’s unsafe package inside the WriteTo() function bypasses memory safety protections, ultimately enabling attackers to trigger unauthorized heap memory reads.

How the Attack Works

In a potential exploitation scenario, an attacker can upload a specially crafted GGUF file to an exposed Ollama server using the /api/create endpoint.

The malicious file contains manipulated tensor metadata with extremely large shape values, triggering the out-of-bounds read during model creation.

Exploitation Chain

  1. Upload a crafted GGUF file to a publicly accessible Ollama server
  2. Trigger model creation via the /api/create endpoint
  3. Leak memory contents from the heap
  4. Exfiltrate stolen data using the /api/push endpoint to an attacker-controlled registry

Alt text

Sensitive Data at Risk

Successful exploitation may expose highly sensitive information stored in Ollama process memory, including:

  • Environment variables
  • API keys
  • System prompts
  • Proprietary source code
  • Customer contracts
  • Concurrent user conversations
  • Tool outputs from connected AI agents

Dor Attias warned that integrations with external AI tooling significantly increase the impact of the vulnerability.

“Engineers often connect Ollama to tools like Claude Code. In those cases, all tool outputs flow to the Ollama server, get saved in the heap, and potentially end up in an attacker’s hands.”

Researchers estimate that more than 300,000 servers globally may be exposed to this issue.

Recommended Mitigations

Users are strongly advised to:

  • Upgrade to the latest patched Ollama release
  • Restrict public network exposure
  • Place Ollama instances behind a firewall
  • Deploy an authentication proxy or API gateway
  • Audit internet-facing Ollama deployments
  • Isolate AI infrastructure from sensitive internal systems

Notably, Ollama’s REST API does not provide built-in authentication by default.

Two Additional Windows Vulnerabilities Enable Persistent Code Execution

Separately, researchers from Striga disclosed two additional vulnerabilities affecting Ollama’s Windows update mechanism.

The flaws remain unpatched after a 90-day disclosure period and can reportedly be chained together to achieve persistent code execution.

Vulnerabilities Identified

CVE-2026-42248

CVSS: 7.7

A missing signature verification issue allows malicious update binaries to be installed without integrity validation.

CVE-2026-42249

CVSS: 7.7

A path traversal vulnerability allows attacker-controlled files to be written outside intended directories using unsanitized HTTP response headers.

Attack Requirements

To exploit the flaws, attackers must control or intercept the update server reachable by the victim’s Ollama client.

Researchers noted that attackers could abuse the OLLAMA_UPDATE_URL variable to redirect update requests to a malicious HTTP server.

The attack also depends on:

  • AutoUpdateEnabled being enabled (default)
  • Ollama auto-starting from the Windows Startup folder
  • Silent update execution during login

Persistent Malware Deployment

The chained vulnerabilities allow attackers to:

  • Drop arbitrary executables into the Windows Startup folder
  • Achieve silent execution at every login
  • Maintain persistence on the compromised system

Potential payloads include:

  • Reverse shells
  • Credential stealers
  • SSH key theft tools
  • Malware droppers
  • Additional persistence implants

According to CERT Polska, Ollama for Windows versions 0.12.10 through 0.17.5 are vulnerable.

Temporary Workarounds

Until patches are released, users should:

  • Disable automatic updates
  • Remove Ollama shortcuts from the Startup folder:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
* Monitor for unauthorized binaries
* Restrict local update traffic
* Avoid exposing Ollama services to untrusted networks

Security researchers warned that any executable dropped into the Startup folder will execute with the privileges of the current user during the next login session.

“The chain produces persistent, silent code execution at the privilege level of the user running Ollama,” researchers said.