2464938 – (CVE-2026-7482) CVE-2026-7482 github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader

Bug 2464938 (CVE-2026-7482) - CVE-2026-7482 github.com/ollama/ollama: ollama: Ollama: Information disclosure via heap out-of-bounds read in GGUF model loader

Summary: CVE-2026-7482 github.com/ollama/ollama: ollama: Ollama: Information disclosur...

Keywords:
Status:	NEW
Alias:	CVE-2026-7482
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2476396 2476395
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-04 13:01 UTC by OSIDB Bzimport
Modified:	2026-05-12 10:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-04 13:01:23 UTC

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

Note You need to log in before you can comment on or make changes to this bug.