CVE-2026-7482: Heap OOB Read in Ollama
Platform
go
Component
ollama
Fixed in
0.17.1
CVE-2026-7482 describes a critical heap out-of-bounds read vulnerability discovered in Ollama versions 0.0.0 through 0.17.1. This vulnerability allows attackers to potentially extract sensitive information from the server's memory. Successful exploitation can lead to the exposure of API keys, environment variables, system prompts, and even the conversation data of other users. A patch is available in version 0.17.1.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The heap out-of-bounds read vulnerability in Ollama arises from insufficient validation of tensor offsets and sizes within the GGUF model loader. An attacker can craft a malicious GGUF file where the declared tensor offset and size exceed the file's actual length. When the server attempts to quantize this file, it reads beyond the allocated heap buffer, leading to a memory leak. The leaked memory contents can include highly sensitive data, such as API keys used to access external services, environment variables containing configuration details, system prompts that define the model's behavior, and the ongoing conversation data of other users interacting with the Ollama instance. This data can then be exfiltrated by uploading the resulting model artifact through the /api/push endpoint, effectively allowing an attacker to steal valuable secrets and potentially compromise the entire system.
Exploitation Context
CVE-2026-7482 was published on 2026-05-04. Its severity is rated as CRITICAL (CVSS 9.1). Public proof-of-concept (POC) code is currently unknown, but the vulnerability's ease of exploitation and the potential for data exfiltration suggest a high likelihood of exploitation if a POC is released. The vulnerability is not currently listed on KEV or EPSS, but the high CVSS score indicates a medium to high probability of exploitation. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-7482 is to immediately upgrade Ollama to version 0.17.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the GGUF file format, strict input validation on the /api/create endpoint can help. Specifically, implement checks to ensure that the declared tensor offset and size within the GGUF file are within reasonable bounds and do not exceed the file's actual length. After upgrading, verify the fix by attempting to load a known malicious GGUF file (if available) and confirming that the server does not crash or leak memory.
How to fix
Actualice a la versión 0.17.1 o posterior para mitigar la vulnerabilidad de lectura fuera de límites en el analizador de tensores GGUF. Esta actualización corrige el problema al verificar los límites del búfer antes de acceder a la memoria.
Frequently asked questions
What is CVE-2026-7482 — Heap OOB Read in Ollama?
CVE-2026-7482 is a critical vulnerability in Ollama versions 0.0.0–0.17.1 that allows attackers to read beyond the allocated heap buffer by providing a malicious GGUF file, potentially exposing sensitive data.
Am I affected by CVE-2026-7482 in Ollama?
If you are running Ollama versions 0.0.0 through 0.17.1, you are potentially affected by this vulnerability. Upgrade to 0.17.1 or later to mitigate the risk.
How do I fix CVE-2026-7482 in Ollama?
The recommended fix is to upgrade Ollama to version 0.17.1 or later. If immediate upgrade is not possible, implement temporary input validation on the /api/create endpoint.
Is CVE-2026-7482 being actively exploited?
While no active exploitation has been publicly confirmed, the vulnerability's severity and potential impact suggest a high likelihood of exploitation if a proof-of-concept is released.
Where can I find the official Ollama advisory for CVE-2026-7482?
Refer to the official Ollama security advisories and release notes on the Ollama GitHub repository for the latest information and updates regarding CVE-2026-7482: [https://github.com/jmorganca/ollama](https://github.com/jmorganca/ollama)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Scan your Go project now — no account
Upload your go.mod and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...