EXECUTIVE SUMMARY:
CVE-2026-7482 with a CVSS score of 9.3 is a remotely exploitable, unauthenticated critical vulnerability affecting Ollama, a popular open-source solution for running large language models on local machines and self-hosted AI inference engine. The vulnerability, dubbed Bleeding Llama, resides in the GGUF model loader, which accepts an attacker-supplied GGUF file containing a declared tensor offset and size larger than the file's length, allowing an out-of-bounds read issue on the heap. An attacker can exploit this vulnerability by sending an attacker-controlled GGUF file to the GGUF model loader, which will then read past the allocated heap buffer, accessing memory that may contain sensitive information such as API keys, tokens, and secrets, including prompts, messages, and environment variables. By leveraging Ollama's built-in model push feature, the attacker can exfiltrate the resulting file, complete with stolen heap data, to an attacker-controlled server, requiring only three unauthenticated API calls. Successful exploitation of this vulnerability could expose employee interactions, development code, routed tool outputs, and prompts containing PII, PHI, and other sensitive information, and given that Ollama launches by default without authentication and listens to all network interfaces, all internet-accessible instances are prone to exploitation, with approximately 300,000 Ollama servers currently exposed on the public internet. Any deployment where Ollama is network-accessible without a firewall or authentication proxy in front of it is at risk of exploitation, and organizations should audit running instances for internet exposure and consider any instance accessible from the internet, as well as the environment variables and data passing through it, to be compromised.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-7482 with a CVSS score of 9.3 is a remotely exploitable, unauthenticated critical vulnerability affecting Ollama, a popular open-source solution for running large language models on local machines and self-hosted AI inference engine. The vulnerability, dubbed Bleeding Llama, resides in the GGUF model loader, which accepts an attacker-supplied GGUF file containing a declared tensor offset and size larger than the file's length, allowing an out-of-bounds read issue on the heap. An attacker can exploit this vulnerability by sending an attacker-controlled GGUF file to the GGUF model loader, which will then read past the allocated heap buffer, accessing memory that may contain sensitive information such as API keys, tokens, and secrets, including prompts, messages, and environment variables. By leveraging Ollama's built-in model push feature, the attacker can exfiltrate the resulting file, complete with stolen heap data, to an attacker-controlled server, requiring only three unauthenticated API calls. Successful exploitation of this vulnerability could expose employee interactions, development code, routed tool outputs, and prompts containing PII, PHI, and other sensitive information, and given that Ollama launches by default without authentication and listens to all network interfaces, all internet-accessible instances are prone to exploitation, with approximately 300,000 Ollama servers currently exposed on the public internet. Any deployment where Ollama is network-accessible without a firewall or authentication proxy in front of it is at risk of exploitation, and organizations should audit running instances for internet exposure and consider any instance accessible from the internet, as well as the environment variables and data passing through it, to be compromised.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://www.securityweek.com/critical-bug-could-expose-300000-ollama-deployments-to-information-theft/