Ollama, a popular open-source framework for running large language models (LLMs) locally, has been hit by a critical security vulnerability. This vulnerability, dubbed Bleeding Llama by Cyera, allows a remote, unauthenticated attacker to leak the entire process memory of an exposed Ollama server. The issue stems from an out-of-bounds read flaw in the GGUF model loader, which is a file format used to store and load LLMs. This vulnerability, tracked as CVE-2026-7482 with a CVSS score of 9.1, impacts over 300,000 servers globally. The problem arises from Ollama's use of the unsafe package when creating models from GGUF files, specifically in the 'WriteTo()' function. This allows attackers to execute operations that bypass the memory safety guarantees of the programming language. In a hypothetical attack scenario, a bad actor can send a specially crafted GGUF file to an exposed Ollama server, triggering an out-of-bounds heap read during model creation. This can lead to the exfiltration of sensitive data from the Ollama process memory, including environment variables, API keys, system prompts, and concurrent users' conversation data. The exploitation chain involves uploading a crafted GGUF file, triggering the vulnerability via the '/api/create' endpoint, and then exfiltrating data via the '/api/push' endpoint to an external server. This vulnerability is particularly concerning given the potential for attackers to gain access to sensitive organizational data, including API keys and proprietary code. The situation is made worse by the fact that Ollama is often connected to tools like Claude Code, which can further amplify the impact of the attack. To mitigate this vulnerability, users are advised to apply the latest fixes, limit network access, audit and secure running instances, and deploy an authentication proxy or API gateway. The development of Ollama has also been marred by two unpatched vulnerabilities in its Windows update mechanism, which can be chained into persistent code execution. These vulnerabilities, detailed by Striga, involve a path traversal and a missing signature check. They allow an attacker to influence update responses and execute arbitrary code at every login, even after the next legitimate update overwrites the staged file. The vulnerabilities are tracked as CVE-2026-42248 and CVE-2026-42249, with CVSS scores of 7.7. To protect against these vulnerabilities, users are recommended to turn off automatic updates and remove Ollama shortcuts from the Windows Startup folder. These issues highlight the ongoing challenges in securing open-source software and the importance of prompt patching and user vigilance.
