Ollama Vulnerability Chain Exposes 300,000 Servers to Memory Leaks and Persistent Code Execution

TL;DR Three vulnerabilities in Ollama—a widely-deployed open-source LLM framework—enable remote memory leakage, Windows update hijacking, and persistent code execution. CVE-2026-7482 (CVSS 9.1) allows unauthenticated attackers to exfiltrate API keys and conversation data from process memory; two unpatched Windows flaws (CVE-2026-42248, CVE-2026-42249) enable code execution at login. Administrators should upgrade to Ollama 0.17.1 or later, isolate instances behind firewalls, and disable auto-update on Windows deployments.

What happened

Researchers at Cyera, Striga, and CERT Polska have disclosed a chain of vulnerabilities affecting Ollama, an open-source framework for running large language models locally. The framework has over 171,000 GitHub stars and is deployed on an estimated 300,000 servers globally.

The primary vulnerability, CVE-2026-7482, is a heap out-of-bounds read in Ollama versions before 0.17.1. The flaw exists in the GGUF model loader—GGUF (GPT-Generated Unified Format) is the file format Ollama uses to store and load LLMs locally. When Ollama processes a crafted GGUF file via the /api/create endpoint, an attacker can supply inflated tensor offset and size values that exceed the file's actual length. During model quantization, the WriteTo() function in fs/ggml/gguf.go and server/quantization.go reads past allocated heap buffers, leaking adjacent memory to attackers.

The vulnerability stems from Ollama's use of Go's unsafe package, which bypasses normal memory safety protections. An attack unfolds in three steps: uploading a crafted GGUF file to a network-accessible Ollama server, triggering the out-of-bounds read via /api/create, and exfiltrating leaked heap data through the /api/push endpoint to an attacker-controlled registry.

Successful exploitation leaks sensitive data from Ollama process memory, including environment variables, API keys, system prompts, and concurrent users' conversation data. Cyera researcher Dor Attias noted that data risk expands when Ollama integrates with LLM tools like Claude Code, where tool outputs flow through the server heap and become targets for exfiltration.

In parallel, researchers at Striga disclosed two unpatched vulnerabilities in Ollama's Windows update mechanism. The Windows client auto-starts on login from the Startup folder, runs on 127.0.0.1:11434, and periodically polls for updates via the /api/update endpoint. The vulnerabilities allow attackers controlling an update server to inject arbitrary executables into the Startup folder, achieving persistent code execution at each login. These flaws were disclosed on January 27, 2026, and remain unfixed after the 90-day disclosure window elapsed.

Why it matters

Memory leakage at scale: An unauthenticated attacker can extract entire process memory from exposed Ollama instances without credentials. This includes hardcoded API keys, environment secrets, and proprietary LLM prompts—data sufficient for lateral movement or API credential theft.

Supply-chain risk: Ollama frequently integrates with external tools. When those tools output results to Ollama's memory, attackers gain access to derived data and tool-chain secrets.

Windows persistence: The two unpatched flaws allow local or network-positioned attackers to achieve silent, persistent code execution at user login. Unlike non-persistent exploits that disappear on update, the path traversal vulnerability (CVE-2026-42249) combined with missing signature verification (CVE-2026-42248) writes attacker binaries to Startup folders where they survive updates.

Default-insecure REST API: Ollama's REST API lacks built-in authentication, forcing operators to deploy separate gateway layers to prevent unauthorized access. Many deployments remain exposed.

Affected systems and CVEs

Ollama before 0.17.1: CVE-2026-7482 (CVSS 9.1) — heap out-of-bounds read in GGUF model loader
Ollama for Windows 0.12.10–0.17.5: CVE-2026-42248 (CVSS 7.7) — missing signature verification on update binaries
Ollama for Windows 0.12.10–0.17.5: CVE-2026-42249 (CVSS 7.7) — path traversal in Windows updater staging directory
Ollama for Windows 0.12.10–0.22.0: vulnerable to chained code execution via both Windows flaws

What to do

Upgrade Ollama to version 0.17.1 or later to address CVE-2026-7482.
Audit all Ollama instances for external network exposure; use netstat or network scanning to identify listening ports.
Isolate Ollama servers behind firewalls; restrict access to /api/create and /api/push endpoints to trusted networks only.
Deploy an authentication proxy or API gateway in front of all Ollama instances (the REST API does not provide authentication out of the box).
Limit network access to Ollama instances; disable listening on 0.0.0.0 if not required for external consumption.
Windows-specific: Disable automatic updates in Ollama settings until patches are available.
Windows-specific: Remove any Ollama shortcut from the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) to prevent silent execution on login.

Open questions

Have patches been released for CVE-2026-42248 and CVE-2026-42249 as of publication, and which version number contains the fix.
What is the exact scope of deployed Ollama for Windows instances vulnerable to the two unpatched flaws.
Has exploitation of any of these vulnerabilities been observed in the wild.
Which versions of Ollama for Windows fully remediate the two Windows vulnerabilities.