CVE-2026-42248— Missing Signature Verification for Updates in Ollama
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42248
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing Signature Verification for Updates in Ollama
Source: NVD (National Vulnerability Database)
Vulnerability Description
Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
下载代码缺少完整性检查
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ollama 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ollama是Ollama开源的一个可以在本地设备上运行、管理和自定义大语言模型的工具。 Ollama 0.12.10版本至0.17.5版本存在安全漏洞,该漏洞源于下载更新可执行文件时未执行完整性或真实性验证,Windows实现无条件返回成功,在暂存或执行更新有效载荷前未进行数字签名或信任验证,可能导致攻击者提供的可执行文件被接受并执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42248
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42248
请登录查看更多情报信息。
- Vulnerabilities in Ollama software | CERT Polskathird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-42248
IV. Related Vulnerabilities
Same product: Ollama
- CVE-2026-7482
Ollama heap out-of-bounds read in GGUF tensor parsing leaks - CVE-2026-42249
Remote Code Execution in Ollama via Update Mechanism - CVE-2026-7020
Ollama Tensor Model Transfer transfer.go digestToPath path t - CVE-2026-5530
Ollama Model Pull API download.go server-side request forger - CVE-2025-15514
Ollama Multi-Modal Model Image Processing NULL Pointer Deref
Same vendor: Ollama
- CVE-2026-7482
Ollama heap out-of-bounds read in GGUF tensor parsing leaks - CVE-2026-42249
Remote Code Execution in Ollama via Update Mechanism - CVE-2025-15514
Ollama Multi-Modal Model Image Processing NULL Pointer Deref - CVE-2025-1975
Improper Validation of Array Index in ollama/ollama - CVE-2024-8063
Divide by Zero in ollama/ollama
Same weakness: CWE-494
- CVE-2026-42249
Remote Code Execution in Ollama via Update Mechanism - CVE-2026-40066
Anviz Products Download of Code Without Integrity Check - CVE-2026-3428
ASUS Member Center 安全漏洞 - CVE-2026-34841
Axios npm Supply Chain Incident Impacting @usebruno/cli - CVE-2026-3502
TrueConf Client Update Integrity Verification Bypass
V. Comments for CVE-2026-42248
No comments yet