Cyber Resilience

CVE-2026-7482

High

Published: 04 May 2026

Published
04 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:L/U:Red
EPSS Score 0.0100 58.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7482 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Ollama Ollama. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7482 is a heap out-of-bounds read vulnerability (CWE-125) in the GGUF model loader of Ollama versions before 0.17.1. The issue arises in the /api/create endpoint, which accepts attacker-supplied GGUF files where the declared tensor offset and size exceed the file's actual length. During quantization processing in fs/ggml/gguf.go and server/quantization.go (specifically the WriteTo() function), the server reads past the allocated heap buffer, potentially leaking sensitive memory contents. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

An unauthenticated remote attacker can exploit this by uploading a crafted GGUF file to the /api/create endpoint, which lacks authentication in the upstream distribution. The out-of-bounds read exposes memory including environment variables, API keys, system prompts, and conversation data from concurrent users. The attacker can then exfiltrate the leaked data by using the similarly unauthenticated /api/push endpoint to upload the resulting model artifact to an attacker-controlled registry. While default deployments bind to 127.0.0.1, the OLLAMA_HOST=0.0.0.0 configuration is widely used, leading to large-scale public internet exposure.

Ollama addressed the vulnerability in version 0.17.1, as documented in the project's release notes, pull request #14406, and the fixing commit 88d57d0483cca907e0b23a968c83627a20b21047. Security practitioners should upgrade to 0.17.1 or later and restrict network access to the /api/create and /api/push endpoints where possible.

This issue is notable in AI/ML contexts, as Ollama is commonly used for local large language model inference with GGUF-format models, and significant public exposure has been observed in practice.

EU & UK References

Vulnerability details

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and…

more

server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ggml, ollama

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1567 Exfiltration Over Web Service Exfiltration
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
Why these techniques?

Direct remote exploitation of unauthenticated public API endpoint (/api/create) for memory disclosure (T1190) enabling local data/credential access (T1005, T1552) followed by exfiltration via unauthenticated web service push to attacker registry (T1567).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12055Same product: Ollama Ollama
CVE-2025-15514Same product: Ollama Ollama
CVE-2025-63389Same product: Ollama Ollama
CVE-2025-66960Same product: Ollama Ollama
CVE-2025-66959Same product: Ollama Ollama
CVE-2025-0312Same product: Ollama Ollama
CVE-2024-8063Same product: Ollama Ollama
CVE-2025-0317Same product: Ollama Ollama
CVE-2025-0315Same product: Ollama Ollama
CVE-2026-42249Same product: Ollama Ollama

Affected Assets

ollama
ollama
≤ 0.17.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates attacker-supplied GGUF tensor offsets and sizes against actual file length to prevent heap out-of-bounds reads during quantization processing.

prevent

Implements memory protections such as bounds checking to block unauthorized heap buffer reads that leak sensitive data like API keys and conversation history.

prevent

Enforces protections like authentication or access restrictions on unauthenticated public endpoints /api/create and /api/push exposed via OLLAMA_HOST=0.0.0.0.

References