A major security flaw has placed Ollama, one of the most widely used platforms for running local AI models, at risk of a high-profile exposure event.<\/p>\n
The issue, dubbed \u201cBleeding Llama,\u201d allows unauthenticated attackers to access the Ollama process and extract sensitive data<\/a> directly from memory, putting roughly 300,000 internet-facing servers worldwide at risk.<\/p>\n With only three API calls, an attacker can extract prompts, system instructions, and environment variables from exposed deployments, turning AI infrastructure into an unexpected source of data leakage.<\/p>\n Discovered by cybersecurity researchers at Cyera and assigned a critical CVSS score of 9.1 by the Echo CVE Numbering Authority, CVE-2026-7482 represents a massive enterprise risk.<\/p>\n Ollama lets users create model instances from uploaded files, including GGUF model files<\/a> used to package tensors, metadata, and other model information for local inference.<\/p>\n The vulnerable path is tied to the model-creation flow, where Ollama processes uploaded files via its API and prepares them for conversion and saving.<\/p>\n Researchers found that a crafted GGUF file can abuse this process by declaring a tensor shape that is much larger than the actual data stored in the file, causing the server to read beyond the intended buffer.<\/p>\n The weakness appears during tensor conversion, where Ollama uses Go\u2019s\u00a0unsafe\u00a0functionality for low-level memory operations instead of staying inside normal safety boundaries.<\/p>\n Because the software does not properly validate that the tensor metadata matches the actual file size, the conversion routine can trigger an out-of-bounds heap read <\/a>and capture unrelated memory contents nearby.<\/p>\n That leaked memory is then carried forward into a newly created model file instead of being discarded.<\/p>\n The attack becomes especially dangerous because researchers found a way to preserve the leaked memory in readable form during conversion.<\/p>\n By using a float-16 source tensor and forcing a float-32 destination, the attacker can rely on a lossless conversion path that preserves the stolen bytes rather than corrupting them through lossy quantization.<\/p>\n Once the malicious model is created, Ollama\u2019s push functionality can upload it to an attacker-controlled server, effectively exfiltrating the leaked memory from the target system.<\/p>\n According to the Cyera research<\/a>, the leaked heap data can include user prompts, system prompts from other models, and environment variables stored by the host running Ollama.<\/p>\n In enterprise environments, this may expose API keys, internal instructions, proprietary code, customer-related content, and other highly sensitive material processed by AI workflows.<\/p>\n The risk grows further when Ollama is connected to external tools or coding assistants<\/a>, because those outputs can also pass through memory and become part of what an attacker steals.<\/p>\n The issue affects Ollama deployments before version 0.17.1, which includes the relevant security fix referenced by the researchers and Echo.<\/p>\n Organizations should upgrade immediately, remove any public exposure, place Ollama behind authentication controls, and restrict access to trusted internal networks only.<\/p>\n Any environment that has been internet-accessible should also review logs, rotate secrets, and assume that prompts and environment data may already have been exposed.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Ollama Memory Leak Vulnerability Exposes 300,000 Servers Globally<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Ollama](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0lYoyPGuYCo4cou6esEv-X0LxnQ9zwwFGdbk7xOLfC7EKKZ6SrrF2_k2tidon0euaYiM8PES3S0VyF2yZeAFhpOCHvappwntv-y1RhZTK-yzNBK9Svc9pXZ2sRqkebOtjKkI8G4uUjcazorDadgnn4MceCDOHPYvGX15H-z6QcbZ_ZH3z73dM0UqMZGM\/s1600\/Screenshot%25202026-05-07%2520111242%2520%25281%2529.webp?ssl=1\")
Ollama Vulnerability Exposes Servers<\/strong><\/h2>\n
![\"Attacker](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKyvv-I3g0D8YMp19JkjbzOUvb_PBmfpE4_qL08_D-jyaZIjVnGKF1a5vPuk8xPTMdDehgz9GfFKGKM1URtBlzRQwyMJHZA9gdmDwf1OQQ85NA9PrD6aTnurdF5hb-YAQGexaKvREYlQsG0yUA4YBWik_hq2Bc5k9lC6wj3_6QRFqGanKZdU-kZdO323E\/s1600\/Screenshot%25202026-05-07%2520110907%2520%25281%2529.webp?ssl=1\")
![\"Quantization](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcPrbK06GY_1Q3ugJdducNIlLwuABh5PsYYMB98kEdegx8qSphEi5G3HJLpgGxI2spDEppJ-5_e4PpBcrK-VzBmPiLReCDZIhdzF65GbYRy2T-SwdKgoiR_eLGZCUvWiRYBpEPa8K8lyE3iIqR_OvI2z0uLVmY2Qe8OxCbqYqh2VexjR6_eyTGBAMgh9g\/s1600\/Screenshot%25202026-05-07%2520110917%2520%25281%2529.webp?ssl=1\")