Ollama, a popular open-source framework for running large language models (LLMs) locally, has been hit by a critical security vulnerability. This vulnerability, dubbed Bleeding Llama by Cyera, allows a remote, unauthenticated attacker to leak the entire process memory of an exposed Ollama server. The issue stems from a heap out-of-bounds read flaw in the GGUF model loader, which is tracked as CVE-2026-7482 with a CVSS score of 9.1. This vulnerability impacts over 300,000 servers globally and has been exploited in a multi-step attack chain. The attacker first uploads a crafted GGUF file with an inflated tensor shape to the server, triggering the out-of-bounds read during model creation. Then, they use the /api/push endpoint to exfiltrate sensitive data from the heap memory to an external server. This data can include environment variables, API keys, system prompts, and conversation data from concurrent users. The implications are severe, as attackers can gain valuable insights into an organization's AI inference, including proprietary code and customer contracts. Moreover, Ollama's integration with tools like Claude Code amplifies the risk, as all tool outputs flow to the server and potentially end up in the hands of attackers. To mitigate this vulnerability, users are advised to apply the latest fixes, limit network access, audit running instances for internet exposure, and isolate them behind a firewall. Deploying an authentication proxy or API gateway is also recommended, as the REST API lacks built-in authentication. In addition to the Bleeding Llama vulnerability, researchers at Striga have uncovered two unpatched flaws in Ollama's Windows update mechanism. These vulnerabilities can be chained into persistent code execution, allowing an attacker to influence update responses and execute arbitrary code at every login. The first flaw, CVE-2026-42248, involves a missing signature verification vulnerability, while the second, CVE-2026-42249, is a path traversal vulnerability. These issues affect Ollama for Windows versions 0.12.10 through 0.17.5. Users are urged to turn off automatic updates and remove Ollama shortcuts from the Startup folder to disable silent on-login execution. These vulnerabilities highlight the ongoing challenges in securing AI platforms and the need for robust security measures to protect sensitive data and prevent unauthorized access.
