CVE-2026-7482

CVE-2026-7482 is a heap out-of-bounds read vulnerability (CWE-125) in the GGUF model loader of Ollama versions before 0.17.1. The issue arises in the /api/create endpoint, which accepts attacker-supplied GGUF files where the declared tensor offset and size exceed the file's actual length. During quantization processing in fs/ggml/gguf.go and server/quantization.go (specifically the WriteTo() function), the server reads past the allocated heap buffer, potentially leaking sensitive memory contents. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

An unauthenticated remote attacker can exploit this by uploading a crafted GGUF file to the /api/create endpoint, which lacks authentication in the upstream distribution. The out-of-bounds read exposes memory including environment variables, API keys, system prompts, and conversation data from concurrent users. The attacker can then exfiltrate the leaked data by using the similarly unauthenticated /api/push endpoint to upload the resulting model artifact to an attacker-controlled registry. While default deployments bind to 127.0.0.1, the OLLAMA_HOST=0.0.0.0 configuration is widely used, leading to large-scale public internet exposure.

Ollama addressed the vulnerability in version 0.17.1, as documented in the project's release notes, pull request #14406, and the fixing commit 88d57d0483cca907e0b23a968c83627a20b21047. Security practitioners should upgrade to 0.17.1 or later and restrict network access to the /api/create and /api/push endpoints where possible.

This issue is notable in AI/ML contexts, as Ollama is commonly used for local large language model inference with GGUF-format models, and significant public exposure has been observed in practice.