How the Vulnerability Works
Researchers have uncovered a critical out-of-bounds read vulnerability in Ollama, the popular open source framework for running large language models locally. The flaw, codenamed Bleeding Llama, allows a remote unauthenticated attacker to leak the entire process memory of an exposed server. The vulnerability stems from Ollama’s use of the unsafe package when creating a model from a GGUF file. A function named WriteTo() reads past the allocated heap buffer when processing a crafted GGUF file where the declared tensor offset and size exceed the file’s actual length.
Attackers can exploit this by sending a specially designed GGUF file to an Ollama server’s /api/create endpoint. By setting the tensor’s shape to an excessively large number during model creation, the server is tricked into performing a heap out-of-bounds read operation. This bypasses the memory safety guarantees typically provided by the programming language.
Impact and Scope
The vulnerability affects all Ollama versions before 0.17.1 and likely impacts over 300,000 servers globally. Successful exploitation could leak sensitive data from the Ollama process memory, including environment variables, API keys, system prompts, and concurrent users’ conversation data. This information can be exfiltrated by uploading it to an attacker controlled destination.
Ollama has accumulated more than 171,000 stars on GitHub and has been forked over 16,100 times, highlighting its widespread adoption. Users are strongly advised to update to version 0.17.1 or later to mitigate the risk. Organizations running Ollama servers should also ensure they are not exposed to the internet unnecessarily and implement network access controls.
Source: The Hacker News
