PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7482 Ollama CVE debrief

CVE-2026-7482 is a heap out-of-bounds read in Ollama’s GGUF model loader that affects versions before 0.17.1. According to the CVE description and NVD record, a malicious GGUF file can declare tensor offsets and sizes that exceed the file’s actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), Ollama can read past the allocated heap buffer. The result is information disclosure, not a write primitive: leaked memory may include secrets or user data already in process memory. The practical risk is higher when Ollama is reachable over the network and when it processes untrusted model files. The supplied CVE description notes that /api/create and /api/push are unauthenticated in upstream distribution, and that deployments using OLLAMA_HOST=0.0.0.0 can be externally exposed. The fix is referenced by a patch commit, issue-tracking PR, and the v0.17.1 release.

Vendor
Ollama
Product
CVE-2026-7482
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-04
Original CVE updated
2026-05-11
Advisory published
2026-05-04
Advisory updated
2026-05-11

Who should care

Ollama operators, especially anyone exposing the service beyond localhost; platform teams handling untrusted GGUF uploads; and developers or administrators whose instances may hold API keys, system prompts, or conversation data in memory.

Technical summary

The vulnerability is a CWE-125 heap out-of-bounds read in Ollama’s GGUF handling path. An attacker-controlled GGUF file uploaded to /api/create can carry tensor metadata whose declared offset and size exceed the real file length. During quantization and WriteTo() processing, the loader reads beyond the heap buffer, which can expose adjacent memory contents. The supplied description says this memory may contain environment variables, API keys, system prompts, and concurrent users’ conversation data. NVD lists the affected range as versions before 0.17.1 and references the fix commit and v0.17.1 release.

Defensive priority

High — patch quickly on any instance that accepts model uploads or is reachable from untrusted networks.

Recommended defensive actions

  • Upgrade Ollama to v0.17.1 or later.
  • Restrict access to /api/create and /api/push; do not expose Ollama publicly unless required.
  • If network access is needed, prefer binding to localhost or placing the service behind strong network controls.
  • Treat GGUF files from untrusted sources as hostile input and review any workflows that import or convert them.
  • Rotate any secrets that may have been present in Ollama’s process environment or memory if exposure is possible.
  • Check deployment settings for OLLAMA_HOST=0.0.0.0 and reduce external reachability where feasible.

Evidence notes

The supplied CVE description states the flaw occurs in fs/ggml/gguf.go and server/quantization.go (WriteTo()) when attacker-supplied GGUF metadata exceeds the file length. NVD marks the issue as analyzed, classifies it as CWE-125, and lists the vulnerable version range as before 0.17.1. Official references include the patch commit, issue-tracking PR, and the v0.17.1 release tag.

Official resources

CVE published on 2026-05-04 and updated on 2026-05-11. The official references point to a fix commit, a tracking PR, and the v0.17.1 release, indicating the issue was remediated in that release line.