Ollama Vulnerabilities Let Attackers Execute Arbitrary Code by Parsing of Malicious Model Files

A severe vulnerability in Ollama, one of GitHub’s most popular open-source projects, with over 155,000 stars. The flaw enables attackers to execute arbitrary code on systems running vulnerable versions of the platform by exploiting weaknesses in the software’s parsing of model files.

Ollama is a widely used tool that allows developers and AI specialists to run large language models locally without relying on external services like OpenAI.

The platform supports numerous open-source models, including gpt-oss, DeepSeek-R1, Meta’s Llama4, and Google’s Gemma3.

Sonarsource researchers found a critical Out-Of-Bounds Write vulnerability during security auditing of Ollama’s codebase.

The vulnerability affects all Ollama versions before 0.7.0 and exists in the model file parsing mechanism. When processing specially crafted GGUF model files, the software fails to validate specific metadata values properly.

Specifically, during the parsing of mllama models, the code does not verify whether indices specified in the model’s metadata fall within acceptable bounds. This oversight allows attackers to manipulate memory beyond allocated boundaries.

The exploitation path involves creating malicious model files with oversized metadata entries or invalid layer indices. When Ollama processes these files, the vulnerability triggers an Out-Of-Bounds Write condition.

Attackers who gain access to Ollama’s API can load and execute these weaponized models, achieving remote code execution on the target system.

Sonarsource confirmed the vulnerability is exploitable in builds without Position Independent Executable configuration, releases include this protection; experts believe exploitation remains feasible with additional effort.

The vulnerability particularly affects the mllama model parsing code written in C++, where unsafe memory operations occur during model initialization.

The Ollama development team addressed this vulnerability in version 0.7.0 by completely rewriting the vulnerable mllama model handling code in Go, eliminating the unsafe C++ implementation.

Users running older versions face significant security risks and should upgrade to the latest release immediately.

Organizations using Ollama in production environments should audit their deployments and implement version controls to prevent the loading of untrusted model files.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.