Cyber Posture

CVE-2026-7482

Critical

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0011 28.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7482 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates attacker-supplied GGUF tensor offsets and sizes against actual file length to prevent heap out-of-bounds reads during quantization processing.

SI-16 Memory Protection good match
prevent

Implements memory protections such as bounds checking to block unauthorized heap buffer reads that leak sensitive data like API keys and conversation history.

SC-14 Public Access Protections good match
prevent

Enforces protections like authentication or access restrictions on unauthenticated public endpoints /api/create and /api/push exposed via OLLAMA_HOST=0.0.0.0.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
T1567 Exfiltration Over Web Service Exfiltration
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
attack.mitre.org →
Why these techniques?

Direct remote exploitation of unauthenticated public API endpoint (/api/create) for memory disclosure (T1190) enabling local data/credential access (T1005, T1552) followed by exfiltration via unauthenticated web service push to attacker registry (T1567).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and…

more

server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

Deeper analysisAI

CVE-2026-7482 is a heap out-of-bounds read vulnerability (CWE-125) in the GGUF model loader of Ollama versions before 0.17.1. The issue arises in the /api/create endpoint, which accepts attacker-supplied GGUF files where the declared tensor offset and size exceed the file's actual length. During quantization processing in fs/ggml/gguf.go and server/quantization.go (specifically the WriteTo() function), the server reads past the allocated heap buffer, potentially leaking sensitive memory contents. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

An unauthenticated remote attacker can exploit this by uploading a crafted GGUF file to the /api/create endpoint, which lacks authentication in the upstream distribution. The out-of-bounds read exposes memory including environment variables, API keys, system prompts, and conversation data from concurrent users. The attacker can then exfiltrate the leaked data by using the similarly unauthenticated /api/push endpoint to upload the resulting model artifact to an attacker-controlled registry. While default deployments bind to 127.0.0.1, the OLLAMA_HOST=0.0.0.0 configuration is widely used, leading to large-scale public internet exposure.

Ollama addressed the vulnerability in version 0.17.1, as documented in the project's release notes, pull request #14406, and the fixing commit 88d57d0483cca907e0b23a968c83627a20b21047. Security practitioners should upgrade to 0.17.1 or later and restrict network access to the /api/create and /api/push endpoints where possible.

This issue is notable in AI/ML contexts, as Ollama is commonly used for local large language model inference with GGUF-format models, and significant public exposure has been observed in practice.

Details

CWE(s)
CWE-125

CVEs Like This One

CVE-2025-30347Shared CWE-125
CVE-2024-48456Shared CWE-125
CVE-2026-25181Shared CWE-125
CVE-2024-48457Shared CWE-125
CVE-2026-33669Shared CWE-125
CVE-2026-24915Shared CWE-125
CVE-2026-42799Shared CWE-125
CVE-2025-20920Shared CWE-125
CVE-2026-22984Shared CWE-125
CVE-2025-69806Shared CWE-125

References