Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Details
CVSS v3
9.1
CVSS v4
7.7
NVD published
2026-04-29 12:16:18
EPSS
<0.1% probability · 1.0th percentile — 2026-05-12
Affected versions
Ollama for Windows 0.12.10 to 0.17.5
Summary
Ollama for Windows does not perform any integrity or authenticity verification for downloaded update executables. The Windows implementation's verification routine unconditionally returns success, so no signature validation occurs before executing update payloads. This flaw is commonly chained with CVE-2026-42249 to achieve full remote code execution.
Remediation
Restrict network access to affected Ollama for Windows installations to prevent man-in-the-middle attack exploitation. Disable automatic silent updates until an official patched version is released by maintainers. Audit systems running vulnerable Ollama versions for unauthorized code.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.