Ollama Vulnerability Exposes Remote Process Memory

Security researchers disclosed a critical memory-leak vulnerability in the open-source local inference platform Ollama, recorded as CVE-2026-7482 and publicized as "Bleeding Llama" by Cyera (CVE.org; Cyera). The CVE entry and multiple vendor analyses describe a heap out-of-bounds read inside the GGUF model loader that can expose process memory contents such as environment variables, API keys, system prompts, and concurrent users' conversation data (CVE.org; TheHackerNews; OpenCVE).

Per the CVE record, the flaw is triggered when an attacker supplies a crafted GGUF file whose declared tensor offset and size exceed the actual file length; during quantization the functions in fs/ggml/gguf.go and server/quantization.go (specifically WriteTo()) read past the allocated heap buffer and leak memory (CVE.org). The disclosed attack chain involves uploading the malformed GGUF file to a network-accessible Ollama instance, invoking model creation via the /api/create endpoint to trigger the out-of-bounds read, and then exfiltrating the resulting model artifact through the /api/push endpoint to an attacker-controlled registry because those endpoints have no upstream authentication (CVE.org; runZero; TheHackerNews).

Multiple reports estimate widespread exposure, citing project popularity metrics and observed deployments; public reporting references roughly 300,000 internet-accessible servers and GitHub interest exceeding 170,000 stars as context for the scope of potential impact (TheHackerNews; runZero; ITSecurityNews). The CVE entry notes default deployments bind to 127.0.0.1 but that the documented OLLAMA_HOST=0.0.0.0 configuration is commonly used in practice, increasing public exposure (CVE.org).

Self-hosted LLM infrastructure commonly mixes model ingestion and runtime in server processes that assume safe model artifacts. In that environment, file-format parsing bugs can bypass typical cloud-provider isolation and expose secrets held in process memory. Observers of comparable incidents note that unauthenticated, network-accessible endpoints amplify risk, because exploitation does not require prior credentials.

The vulnerability combines a high-severity memory-safety bug (CVSS 9.1) with practical exploitation paths described in the public advisory, making it notable for organizations running local model-serving stacks. Industry coverage frames the issue as part of a recurring class of risks around model file formats and local inference tooling (Cyera; TheHackerNews; runZero). For teams adopting self-hosted LLMs, the incident underscores that model artifact handling is an attack surface distinct from model behavior or prompt safety.

The CVE record indicates affected versions are Ollama prior to 0.17.1 and references patches and release notes (CVE.org). Multiple security advisories and vendor writeups recommend upgrading to 0.17.1 or later to remediate the issue and to audit any instances configured with OLLAMA_HOST=0.0.0.0 for public exposure (runZero; OpenCVE).

• •Monitor for available patches and apply updates to Ollama to reach 0.17.1 or later (runZero; CVE.org).
• •Inventory network-exposed instances and validate whether /api/create and /api/push are reachable from untrusted networks; treat unauthenticated endpoints as high-priority findings (CVE.org; runZero).
• •Consider isolating model-loading workflows and secrets so that memory contents accessible to model processes do not contain long-lived API keys or sensitive system prompts. This is an industry best practice observed in comparable hardening guidance.

Watch for exploit proof-of-concept code or scanning activity targeting /api/create endpoints, post-disclosure scanning that increases observed exploit attempts, and follow-up advisories from Ollama upstream or major downstream packagers. Track disclosure timelines from Cyera and the CVE entry for changes to severity or mitigation details (Cyera; CVE.org).