Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak

Local deployment of large language models has surged as firms seek to keep proprietary data off public clouds. Ollama, with its easy‑to‑use interface and over 171,000 GitHub stars, quickly became a go‑to solution, but its reliance on unsafe Go code introduced a classic out‑of‑bounds read. By crafting a GGUF file with an inflated tensor offset, an attacker can force the server to read beyond its heap, exposing environment variables, API keys, and even user conversations. The flaw’s high CVSS rating and the sheer number of potentially vulnerable instances underscore a systemic risk in the fast‑growing AI‑on‑prem market.

Beyond the memory leak, the Windows client’s auto‑update mechanism suffers two critical bugs: missing signature verification and a path‑traversal that writes attacker‑chosen executables to the Startup folder. When the client polls a malicious update server, a crafted payload can persist across reboots without user interaction, granting the same privileges as the logged‑in user. This supply‑chain style attack expands the threat surface from remote API calls to the very process that delivers model updates, mirroring recent trends where attackers weaponize trusted update channels to infiltrate corporate environments.

Mitigation requires a layered approach. Organizations should immediately upgrade to the patched Ollama release, restrict inbound traffic to the /api endpoints, and place an authentication proxy or API gateway in front of any exposed instance. For Windows users, disabling automatic updates, removing lingering shortcuts from the Startup folder, and verifying code signatures before execution are essential steps. The episode serves as a reminder that the convenience of local AI must be balanced with rigorous security hygiene, especially as enterprises integrate these models into critical workflows and downstream tools.