A extreme vulnerability in Ollama, considered one of GitHub’s hottest open-source tasks, with over 155,000 stars. The flaw allows attackers to execute arbitrary code on methods operating susceptible variations of the platform by exploiting weaknesses within the software program’s parsing of mannequin recordsdata.
Ollama is a extensively used software that enables builders and AI specialists to run giant language fashions domestically with out counting on exterior providers like OpenAI.
The platform helps quite a few open-source fashions, together with gpt-oss, DeepSeek-R1, Meta’s Llama4, and Google’s Gemma3.
client-server structure of Ollama
Sonarsource researchers discovered a vital Out-Of-Bounds Write vulnerability throughout safety auditing of Ollama’s codebase.
The vulnerability impacts all Ollama variations earlier than 0.7.0 and exists within the mannequin file parsing mechanism. When processing specifically crafted GGUF mannequin recordsdata, the software program fails to validate particular metadata values correctly.
Particularly, in the course of the parsing of mllama fashions, the code doesn’t confirm whether or not indices specified within the mannequin’s metadata fall inside acceptable bounds. This oversight permits attackers to govern reminiscence past allotted boundaries.
The exploitation path includes creating malicious mannequin recordsdata with outsized metadata entries or invalid layer indices. When Ollama processes these recordsdata, the vulnerability triggers an Out-Of-Bounds Write situation.
mannequin file to substantiate OOB write
Attackers who achieve entry to Ollama’s API can load and execute these weaponized fashions, reaching distant code execution on the goal system.
Sonarsource confirmed the vulnerability is exploitable in builds with out Place Impartial Executable configuration, releases embody this safety; consultants consider exploitation stays possible with extra effort.
The vulnerability notably impacts the mllama mannequin parsing code written in C++, the place unsafe reminiscence operations happen throughout mannequin initialization.
The Ollama growth workforce addressed this vulnerability in model 0.7.0 by utterly rewriting the susceptible mllama mannequin dealing with code in Go, eliminating the unsafe C++ implementation.
Customers operating older variations face vital safety dangers and will improve to the most recent launch instantly.
Organizations utilizing Ollama in manufacturing environments ought to audit their deployments and implement model controls to forestall the loading of untrusted mannequin recordsdata.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
