Vulnerability-Lookup

CNVD-2026-20166

Vulnerability from cnvd - Published: 2026-05-04

Title

Ollama GGUF模型加载器堆越界读取漏洞

Description

Ollama是一个开源的大语言模型部署与推理工具，主要提供模型的加载、量化及API接口服务。 Ollama GGUF模型加载器存在堆越界读取漏洞，该漏洞源于/api/create接口在处理攻击者提供的GGUF文件时，未能正确验证声明的张量偏移和大小是否超过文件实际长度，导致服务器读取已分配堆缓冲区之外的数据所致。攻击者可利用该漏洞泄露环境变量、API密钥等敏感内存数据。

Severity

低

Patch Name

Ollama GGUF模型加载器堆越界读取漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/ollama/ollama/pull/14406

Reference

https://github.com/ollama/ollama/pull/14406

Impacted products

Name
Ollama Ollama <0.17.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-7482",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-7482"
    }
  },
  "description": "Ollama\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u5927\u8bed\u8a00\u6a21\u578b\u90e8\u7f72\u4e0e\u63a8\u7406\u5de5\u5177\uff0c\u4e3b\u8981\u63d0\u4f9b\u6a21\u578b\u7684\u52a0\u8f7d\u3001\u91cf\u5316\u53caAPI\u63a5\u53e3\u670d\u52a1\u3002\n\nOllama GGUF\u6a21\u578b\u52a0\u8f7d\u5668\u5b58\u5728\u5806\u8d8a\u754c\u8bfb\u53d6\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/api/create\u63a5\u53e3\u5728\u5904\u7406\u653b\u51fb\u8005\u63d0\u4f9b\u7684GGUF\u6587\u4ef6\u65f6\uff0c\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u58f0\u660e\u7684\u5f20\u91cf\u504f\u79fb\u548c\u5927\u5c0f\u662f\u5426\u8d85\u8fc7\u6587\u4ef6\u5b9e\u9645\u957f\u5ea6\uff0c\u5bfc\u81f4\u670d\u52a1\u5668\u8bfb\u53d6\u5df2\u5206\u914d\u5806\u7f13\u51b2\u533a\u4e4b\u5916\u7684\u6570\u636e\u6240\u81f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6cc4\u9732\u73af\u5883\u53d8\u91cf\u3001API\u5bc6\u94a5\u7b49\u654f\u611f\u5185\u5b58\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/ollama/ollama/pull/14406",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-20166",
  "openTime": "2026-05-04",
  "patchDescription": "Ollama\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u5927\u8bed\u8a00\u6a21\u578b\u90e8\u7f72\u4e0e\u63a8\u7406\u5de5\u5177\uff0c\u4e3b\u8981\u63d0\u4f9b\u6a21\u578b\u7684\u52a0\u8f7d\u3001\u91cf\u5316\u53caAPI\u63a5\u53e3\u670d\u52a1\u3002\r\n\r\nOllama GGUF\u6a21\u578b\u52a0\u8f7d\u5668\u5b58\u5728\u5806\u8d8a\u754c\u8bfb\u53d6\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/api/create\u63a5\u53e3\u5728\u5904\u7406\u653b\u51fb\u8005\u63d0\u4f9b\u7684GGUF\u6587\u4ef6\u65f6\uff0c\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u58f0\u660e\u7684\u5f20\u91cf\u504f\u79fb\u548c\u5927\u5c0f\u662f\u5426\u8d85\u8fc7\u6587\u4ef6\u5b9e\u9645\u957f\u5ea6\uff0c\u5bfc\u81f4\u670d\u52a1\u5668\u8bfb\u53d6\u5df2\u5206\u914d\u5806\u7f13\u51b2\u533a\u4e4b\u5916\u7684\u6570\u636e\u6240\u81f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6cc4\u9732\u73af\u5883\u53d8\u91cf\u3001API\u5bc6\u94a5\u7b49\u654f\u611f\u5185\u5b58\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ollama GGUF\u6a21\u578b\u52a0\u8f7d\u5668\u5806\u8d8a\u754c\u8bfb\u53d6\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Ollama Ollama \u003c0.17.1"
  },
  "referenceLink": "https://github.com/ollama/ollama/pull/14406",
  "serverity": "\u4f4e",
  "submitTime": "2026-05-06",
  "title": "Ollama GGUF\u6a21\u578b\u52a0\u8f7d\u5668\u5806\u8d8a\u754c\u8bfb\u53d6\u6f0f\u6d1e"
}

CVE-2026-7482 (GCVE-0-2026-7482)

Vulnerability from cvelistv5 – Published: 2026-05-04 12:38 – Updated: 2026-05-04 13:48 X_Unauthenticated X_Remote X_Information Disclosure

Title

Ollama heap out-of-bounds read in GGUF tensor parsing leaks server process memory to unauthenticated remote attackers

Summary

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

8.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Red

CWE

CWE-125 - Out-of-bounds Read

Assigner

Echo

References

3 references

URL	Tags
https://github.com/ollama/ollama/pull/14406	patch
https://github.com/ollama/ollama/commit/88d57d048…	patch
https://github.com/ollama/ollama/releases/tag/v0.17.1	release-notes

Impacted products

1 product

Vendor	Product	Version
ollama	ollama	Affected: 0 , < 0.17.1 (semver)

Date Public ?

2026-02-25 00:00

Credits

Cyera Research Team (Dor Attias, Ofek Itach)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-04T13:48:32.181054Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-04T13:48:39.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com",
          "defaultStatus": "unaffected",
          "packageName": "ollama/ollama",
          "product": "ollama",
          "programFiles": [
            "fs/ggml/gguf.go",
            "server/quantization.go"
          ],
          "repo": "https://github.com/ollama/ollama",
          "vendor": "ollama",
          "versions": [
            {
              "lessThan": "0.17.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Cyera Research Team (Dor Attias, Ofek Itach)"
        }
      ],
      "datePublic": "2026-02-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOllama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file\u0027s actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users\u0027 conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).\u003c/p\u003e"
            }
          ],
          "value": "Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file\u0027s actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users\u0027 conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-540",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-540 Overread Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T12:38:28.464Z",
        "orgId": "abd028dc-c042-4c4d-9749-38d0f850af89",
        "shortName": "Echo"
      },
      "references": [
        {
          "name": "ollama/ollama PR #14406 \u2014 ggml: ensure tensor size is valid (fix)",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ollama/ollama/pull/14406"
        },
        {
          "name": "Fix commit 88d57d0",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ollama/ollama/commit/88d57d0483cca907e0b23a968c83627a20b21047"
        },
        {
          "name": "ollama v0.17.1 release notes",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/ollama/ollama/releases/tag/v0.17.1"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpgrade to ollama 0.17.1 or later. The fix in PR #14406 validates that declared tensor offset+size do not exceed the GGUF file size before reading, and adds a length check in the quantizer prior to the unsafe read.\u003c/p\u003e"
            }
          ],
          "value": "Upgrade to ollama 0.17.1 or later. The fix in PR #14406 validates that declared tensor offset+size do not exceed the GGUF file size before reading, and adds a length check in the quantizer prior to the unsafe read."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_unauthenticated",
        "x_remote",
        "x_information-disclosure"
      ],
      "title": "Ollama heap out-of-bounds read in GGUF tensor parsing leaks server process memory to unauthenticated remote attackers",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUntil upgrade is possible: (1) ensure Ollama is bound to a trusted interface only (default OLLAMA_HOST=127.0.0.1); (2) front Ollama with a reverse proxy that requires authentication on /api/create and /api/push; (3) restrict outbound network egress from the Ollama host to prevent exfiltration via /api/push to attacker-controlled registries.\u003c/p\u003e"
            }
          ],
          "value": "Until upgrade is possible: (1) ensure Ollama is bound to a trusted interface only (default OLLAMA_HOST=127.0.0.1); (2) front Ollama with a reverse proxy that requires authentication on /api/create and /api/push; (3) restrict outbound network egress from the Ollama host to prevent exfiltration via /api/push to attacker-controlled registries."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "abd028dc-c042-4c4d-9749-38d0f850af89",
    "assignerShortName": "Echo",
    "cveId": "CVE-2026-7482",
    "datePublished": "2026-05-04T12:38:28.464Z",
    "dateReserved": "2026-04-30T06:03:40.622Z",
    "dateUpdated": "2026-05-04T13:48:39.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-20166

CVE-2026-7482 (GCVE-0-2026-7482)

Tags

Sightings

Nomenclature