CVE-2026-7482 — AI Deep Analysis Summary

🚨 **Essence**: Ollama < 0.17.1 has a **Heap Buffer Over-read** in GGUF model loading. 📉 **Consequences**: Memory leakage of env vars, API keys, prompts, and chat data.…

🛡️ **CWE**: CWE-125 (Out-of-bounds Read). 🔍 **Flaw**: The loader accepts GGUF files with **invalid tensor offsets/sizes** exceeding file length.…

📦 **Vendor**: Ollama. 📅 **Affected**: Versions **prior to 0.17.1**. 🧩 **Components**: `/api/create` endpoint (loading) & `/api/push` endpoint (exfiltration).

🕵️ **Hackers Can**: Read sensitive memory contents. 🗝️ **Data Stolen**: Env vars, API keys, system prompts, user conversations. 📤 **Exfil Method**: Upload crafted model to attacker-controlled registry via `/api/push`.

⚠️ **Threshold**: LOW. 🔓 **Auth**: Default endpoints `/api/create` & `/api/push` have **NO authentication**. 🌐 **Config**: Often bound to `0.0.0.0` (public internet), not just `127.0.0.1`.

🚫 **Public Exp?**: No PoCs listed in data. 📉 **Risk**: However, simple crafted GGUF files can trigger it. Wild exploitation likely easy due to lack of auth & simple buffer logic.

🔍 **Self-Check**: 1. Check Ollama version (< 0.17.1). 2. Scan for public exposure of port 11434. 3. Monitor for unusual `/api/create` or `/api/push` requests from unknown IPs.

✅ **Fixed**: Yes! 📦 **Patch**: Version **0.17.1**. 🔗 **Ref**: PR #14406 ensures tensor size validity. Commit `88d57d0` fixes the issue. 🔄 **Action**: Upgrade immediately.

🛡️ **Workaround**: 1. **Bind to 127.0.0.1** only. 2. Implement **reverse proxy auth** (e.g., Nginx basic auth) for `/api/create` & `/api/push`. 3. Restrict network access.

🔥 **Urgency**: CRITICAL. 🚨 **Priority**: P1. CVSS **High** (AV:N, AC:L, PR:N, UI:N, C:H, A:H). Immediate patching required due to no-auth default config & sensitive data exposure.