Ollama, a popular open-source framework for running large language models (LLMs) locally, has been hit by a critical security vulnerability that could have far-reaching consequences. This vulnerability, dubbed 'Bleeding Llama' by Cyera, allows a remote, unauthenticated attacker to leak the entire process memory of an exposed Ollama server. The issue stems from a heap out-of-bounds read flaw in the GGUF model loader, which is a file format used to store and load LLMs. This flaw is tracked as CVE-2026-7482 and has a CVSS score of 9.1, indicating a high risk. The vulnerability is particularly concerning because it can be exploited without any authentication, and it affects over 300,000 servers globally. In a hypothetical attack scenario, a malicious actor can send a specially crafted GGUF file to an exposed Ollama server, triggering the out-of-bounds heap read during model creation. This can lead to the leakage of sensitive data, including environment variables, API keys, system prompts, and even conversation data from concurrent users. The exploitation chain involves three steps: uploading a crafted GGUF file, triggering the vulnerability via the /api/create endpoint, and then exfiltrating data from the heap memory to an external server using the /api/push endpoint. This vulnerability is not just a data leakage risk; it also raises concerns about the security of AI inference. As Cyera security researcher Dor Attias points out, an attacker can learn a lot about an organization from AI inference, including proprietary code and customer contracts. The situation is further exacerbated by the fact that Ollama is often connected to tools like Claude Code, which can lead to even higher-impact attacks. To mitigate this vulnerability, users are advised to take several measures. These include applying the latest fixes, limiting network access, auditing running instances for internet exposure, and isolating and securing them behind a firewall. Additionally, deploying an authentication proxy or API gateway is recommended, as the REST API does not provide authentication out-of-the-box. The recent discovery of two unpatched vulnerabilities in Ollama's Windows update mechanism by Striga researchers further highlights the ongoing security challenges. These vulnerabilities can be chained into persistent code execution, and they remain unpatched even after a 90-day disclosure period. The flaws relate to a missing signature verification and a path traversal vulnerability, which, when combined, can allow an attacker to execute arbitrary code at every login. This highlights the importance of timely patching and the need for users to be vigilant about security updates. The security of AI platforms like Ollama is crucial, as they are increasingly used in various applications, from customer service to code generation. As such, it is imperative that developers and users take proactive steps to secure these systems and protect sensitive data from potential attackers. The recent Ollama vulnerabilities serve as a stark reminder of the ongoing challenges in securing AI technologies and the need for continuous vigilance and improvement in security practices.
