"Bleeding Llama": Critical Ollama Vulnerability Exposes Over 300,000 AI Servers to Memory Leaks

-


Cybersecurity researchers have uncovered a critical vulnerability in Ollama, one of the most widely used platforms for running large language models locally, that could allow a remote, unauthenticated attacker to read and steal the server's entire process memory. Tracked as CVE-2026-7482 and dubbed "Bleeding Llama" by the researchers at Cyera who discovered it, the flaw carries a CVSS score of 9.1 and is estimated to affect more than 300,000 publicly exposed servers worldwide.

What Is Ollama?

Ollama is a popular open-source framework that enables developers and organizations to run AI language models locally rather than relying on cloud services. The project has over 171,000 stars on GitHub, making it one of the most widely adopted tools in the self-hosted AI space.

How the Vulnerability Works

The flaw is an out-of-bounds heap read located in Ollama's GGUF model loader specifically in a function called WriteTo() within the model creation pipeline. GGUF is the standard file format used to store and load large language models locally.

The attack is straightforward: an attacker sends a specially crafted GGUF file to an exposed Ollama server, with the tensor dimensions set to a deliberately oversized value. When Ollama processes the file through its /api/create endpoint during model creation, the server reads beyond the boundaries of its allocated memory buffer leaking whatever happens to reside in the surrounding heap memory.

The exploitation chain unfolds in three steps. First, the attacker uploads the malicious GGUF file. Second, they trigger model creation via the /api/create endpoint, activating the out-of-bounds read. Third, they use Ollama's /api/push endpoint to exfiltrate the leaked memory contents to an attacker-controlled model registry.

What Data Is at Risk?

The data exposed through this vulnerability is particularly sensitive, since Ollama sits at the core of many organizations' AI infrastructure. Leaked memory can contain environment variables, API keys, system prompts, and the full conversation data of users currently interacting with the server.

As Cyera security researcher Dor Attias noted, attackers can essentially learn everything about an organization's AI inference pipeline, including proprietary code, customer contracts, and authentication credentials. In environments where Ollama is connected to agentic tools like Claude Code, the impact is even broader, since all tool outputs and intermediate results flow through the server and may end up exposed.

The Fix

The vulnerability was addressed in Ollama version 0.17.1. All users running earlier versions should update immediately. Additionally, organizations are strongly advised to place Ollama instances behind a firewall or authentication proxy, since the REST API does not include built-in authentication. Publicly exposing an Ollama instance to the internet without any access controls is particularly dangerous given this flaw.

Bonus: Two Unpatched Windows Flaws Enable Persistent Code Execution

Separately, researchers at Striga disclosed two additional vulnerabilities in Ollama's Windows auto-update mechanism that, when chained together, allow an attacker to achieve persistent code execution on victim machines at every login. These flaws CVE-2026-42248 and CVE-2026-42249, both scoring 7.7 remain unpatched as of the time of writing, following the expiration of a 90-day responsible disclosure period.

The first flaw is a missing signature verification check the Windows updater installs update binaries without verifying their authenticity, unlike the macOS version. The second is a path traversal vulnerability that allows an attacker who controls an update server to redirect where the installer is written on disk, including into the Windows Startup folder.

Combined, these two flaws allow an attacker to silently drop a malicious executable into the Startup folder, which is then executed automatically on every subsequent user login without triggering any signature check. Realistic payloads include reverse shells, credential stealers, and droppers for additional malware.

Affected versions span Ollama for Windows 0.12.10 through 0.17.5 for the path traversal, and up to 0.22.0 for the signature verification issue. As no patch is currently available, users are advised to disable automatic updates in Ollama for Windows and manually remove any Ollama shortcut from the Windows Startup folder as a temporary mitigation.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more