PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42249 Ollama CVE debrief

## Summary Ollama for Windows versions 0.12.10 through 0.17.5 contain a path traversal vulnerability in their automatic update mechanism. The application constructs local file paths using attacker‑controlled HTTP response headers without validation, allowing directory traversal sequences (../) to be resolved. This enables an attacker who can influence update responses to write arbitrary files—including executables—to attacker‑chosen locations accessible to the current user, such as the Windows Startup directory. When combined with CVE‑2026‑42248 (missing signature verification), this flaw permits automatic, persistent remote code execution without user interaction or awareness. ## Technical Details The vulnerability stems from improper handling of HTTP response headers during the update download process. The application uses values derived from these headers directly in `filepath.Join` operations without sanitization or validation. This allows path traversal sequences to escape the intended update staging directory. The CVSS 4.0 vector (`CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L`) indicates an attack vector of adjacent network, high attack complexity, and high impact on confidentiality, integrity, and availability of the vulnerable component. The vulnerability is classified under CWE‑22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE‑494 (Download of Code Without Integrity Check). ## Affected Versions - **Confirmed vulnerable:** 0.12.10 through 0.17.5 - **Other versions:** Not tested but may also be affected ## Attack Scenario An attacker positioned to manipulate HTTP responses (e.g., via man‑in‑the‑middle on a local network, compromised update infrastructure, or DNS hijacking) can inject malicious path traversal sequences in update response headers. This causes the Ollama updater to write files outside the intended directory. By targeting the Windows Startup folder or other executable locations, the attacker achieves persistent code execution. The silent automatic update mechanism executes staged binaries without user interaction, making exploitation fully automatic. ## Detection Guidance Monitor for: - Uns

Vendor
Ollama
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-29
Original CVE updated
2026-05-18
Advisory published
2026-04-29
Advisory updated
2026-05-18

Who should care

Organizations and individuals running Ollama for Windows versions 0.12.10–0.17.5, particularly those with automatic updates enabled. Security teams monitoring supply chain and automatic update mechanisms. Network administrators responsible for endpoint security on Windows environments.

Technical summary

The Ollama for Windows updater fails to validate HTTP response header values used in filepath construction, enabling directory traversal that allows arbitrary file writes to sensitive locations including Windows Startup. Combined with missing signature verification (CVE‑2026‑42248), this results in automatic persistent code execution.

Defensive priority

HIGH

Recommended defensive actions

  • Disable automatic updates in Ollama for Windows until a patched version is available
  • Monitor network traffic for unexpected connections to Ollama update servers
  • Apply principle of least privilege to Ollama process execution
  • Verify integrity of Ollama binaries through independent checksum validation
  • Monitor Windows Startup directories and other sensitive locations for unauthorized file writes
  • Consider network segmentation to limit exposure to potential man-in-the-middle attacks on update channels

Evidence notes

CVE published 2026-04-29; modified 2026-05-18. Advisory from CERT‑PL ([email protected]) documents the vulnerability and confirms versions 0.12.10–0.17.5 as vulnerable. CPE data identifies Ollama as the affected product on Windows.

Official resources

2026-04-29