Ollama Vulnerability “Bleeding Llama” Allows Remote Memory Leak From Exposed Servers
Cybersecurity researchers have disclosed a critical security flaw in Ollama that could allow a remote, unauthenticated attacker to leak the entire process memory of vulnerable servers.
Tracked as CVE-2026-7482 with a CVSS score of 9.1, the vulnerability has been codenamed “Bleeding Llama” by Cyera.
Ollama is a widely used open-source framework that enables users to run large language models (LLMs) locally instead of relying on cloud infrastructure. The project currently has more than 171,000 GitHub stars and over 16,000 forks.
Critical Heap Out-of-Bounds Read in GGUF Model Loader
According to the vulnerability description published on CVE.org, the issue affects Ollama versions prior to 0.17.1 and originates from a heap out-of-bounds read vulnerability in the GGUF model loader.
“The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length.”
The flaw occurs during model quantization in:
fs/ggml/gguf.goserver/quantization.go (WriteTo())
This allows the server to read beyond the allocated heap buffer.
What Is GGUF?
GGUF (GPT-Generated Unified Format) is a file format used for storing large language models so they can be loaded and executed efficiently on local systems.
Researchers found that Ollama’s use of Go’s unsafe package inside the WriteTo() function bypasses memory safety protections, ultimately enabling attackers to trigger unauthorized heap memory reads.
How the Attack Works
In a potential exploitation scenario, an attacker can upload a specially crafted GGUF file to an exposed Ollama server using the /api/create endpoint.
The malicious file contains manipulated tensor metadata with extremely large shape values, triggering the out-of-bounds read during model creation.
Exploitation Chain
- Upload a crafted GGUF file to a publicly accessible Ollama server
- Trigger model creation via the
/api/createendpoint - Leak memory contents from the heap
- Exfiltrate stolen data using the
/api/pushendpoint to an attacker-controlled registry

Sensitive Data at Risk
Successful exploitation may expose highly sensitive information stored in Ollama process memory, including:
- Environment variables
- API keys
- System prompts
- Proprietary source code
- Customer contracts
- Concurrent user conversations
- Tool outputs from connected AI agents
Dor Attias warned that integrations with external AI tooling significantly increase the impact of the vulnerability.
“Engineers often connect Ollama to tools like Claude Code. In those cases, all tool outputs flow to the Ollama server, get saved in the heap, and potentially end up in an attacker’s hands.”
Researchers estimate that more than 300,000 servers globally may be exposed to this issue.
Recommended Mitigations
Users are strongly advised to:
- Upgrade to the latest patched Ollama release
- Restrict public network exposure
- Place Ollama instances behind a firewall
- Deploy an authentication proxy or API gateway
- Audit internet-facing Ollama deployments
- Isolate AI infrastructure from sensitive internal systems
Notably, Ollama’s REST API does not provide built-in authentication by default.
Two Additional Windows Vulnerabilities Enable Persistent Code Execution
Separately, researchers from Striga disclosed two additional vulnerabilities affecting Ollama’s Windows update mechanism.
The flaws remain unpatched after a 90-day disclosure period and can reportedly be chained together to achieve persistent code execution.
Vulnerabilities Identified
CVE-2026-42248
CVSS: 7.7
A missing signature verification issue allows malicious update binaries to be installed without integrity validation.
CVE-2026-42249
CVSS: 7.7
A path traversal vulnerability allows attacker-controlled files to be written outside intended directories using unsanitized HTTP response headers.
Attack Requirements
To exploit the flaws, attackers must control or intercept the update server reachable by the victim’s Ollama client.
Researchers noted that attackers could abuse the OLLAMA_UPDATE_URL variable to redirect update requests to a malicious HTTP server.
The attack also depends on:
AutoUpdateEnabledbeing enabled (default)- Ollama auto-starting from the Windows Startup folder
- Silent update execution during login
Persistent Malware Deployment
The chained vulnerabilities allow attackers to:
- Drop arbitrary executables into the Windows Startup folder
- Achieve silent execution at every login
- Maintain persistence on the compromised system
Potential payloads include:
- Reverse shells
- Credential stealers
- SSH key theft tools
- Malware droppers
- Additional persistence implants
According to CERT Polska, Ollama for Windows versions 0.12.10 through 0.17.5 are vulnerable.
Temporary Workarounds
Until patches are released, users should:
- Disable automatic updates
- Remove Ollama shortcuts from the Startup folder:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
* Monitor for unauthorized binaries
* Restrict local update traffic
* Avoid exposing Ollama services to untrusted networks
Security researchers warned that any executable dropped into the Startup folder will execute with the privileges of the current user during the next login session.
“The chain produces persistent, silent code execution at the privilege level of the user running Ollama,” researchers said.