Ollama ‘Bleeding Llama’ Vulnerability Puts 300K Servers at Risk of Sensitive Data Exposure

Vulnerability Overview: Bleeding Llama Can Lead to Full Memory Disclosure

Security researchers from Cyera identified a critical vulnerability in the Ollama AI framework, tracked as CVE‑2026‑7482 and named “Bleeding Llama.” The flaw resides in the model quantization pipeline that processes GGUF (GPT Generation Unified Format) files, where a heap out‑of‑bounds read can expose the entire process memory.

Attack Mechanism: Only Three API Calls Needed

The issue stems from how Ollama loads GGUF files. An attacker can create a GGUF file that declares tensor dimensions far larger than the actual data, forcing Ollama to read past the expected buffer boundary. This requires just three API requests: upload the malicious GGUF, trigger the read, and use the push API to exfiltrate the leaked data to a server under the attacker’s control.

Leaked memory may contain user prompts, chat messages, system prompts for all running models, cross‑user conversation history, environment variables with API keys and other secrets, proprietary code submitted to the model, and client data or contracts reviewed by the AI.

Impact Scope

More than 300,000 servers that are publicly reachable on the internet are potentially vulnerable. Even locally deployed Ollama instances without proper access restrictions are at risk, as unauthenticated attackers can exploit the flaw within a LAN.

Mitigation Measures

Users should immediately upgrade to Ollama 0.17.1, which includes a patch for this vulnerability. Additional protective steps include:

Deploy an authentication proxy or API gateway in front of all Ollama instances.

Never expose instances to the internet without IP filtering and firewall rules.

Place local Ollama servers behind secure network segments and firewalls.

Rotate any API keys, tokens, or credentials that may have been exposed.

Broader Recommendations

Cyera warns that any Ollama server previously exposed to the internet should be assumed compromised, with memory‑resident environment variables and secrets considered leaked. This advisory applies to all AI and AI‑agent frameworks, which are increasingly targeted by attackers. Organizations should incorporate these tools into their vulnerability management programs and regularly audit their network presence.