Approximately 300,000 deployments of the open-source AI tool Ollama are susceptible to information theft due to a critical vulnerability that can be exploited remotely, according to cybersecurity firm Cyera.
Vulnerability Details and Impact
Ollama, widely used for running large language models locally, faces a significant security threat from a heap out-of-bounds read issue. This flaw can be leveraged to gain unauthorized access to sensitive data stored in memory, such as prompts, messages, and crucial environment variables like API keys and tokens.
The vulnerability, identified as CVE-2026-7482 and named Bleeding Llama, specifically affects the GGUF model loader in Ollama. An attacker can provide a malicious GGUF file that declares a tensor offset and size exceeding the file’s actual length, leading to unauthorized memory access.
Exploitation Methodology
Cyera explains that the vulnerability allows attackers to exploit Ollama’s model push feature, enabling them to transfer compromised data to a server under their control. This attack can be executed with just three unauthenticated API calls, as Ollama typically runs without authentication and listens on all network interfaces.
The widespread exposure of approximately 300,000 Ollama servers on the internet makes this vulnerability highly exploitable without requiring credentials. The potential consequences include the exposure of sensitive employee interactions, development code, and personal data routed through these deployments.
Mitigation and Recommendations
To address this vulnerability, Ollama released version 0.17.1, which organizations are urged to implement promptly. Additionally, it is advised to limit network access to Ollama deployments by employing an authentication proxy and segmenting networks to enhance security.
Cyera further recommends auditing existing deployments for internet exposure and assumes that any internet-accessible instance may be compromised. Ensuring protection of environment variables and data is crucial to mitigate the risks associated with this vulnerability.
For further details on related vulnerabilities, readers can explore issues concerning MetInfo, Weaver E-cology, and others targeted by attackers.
