The disclosure of CVE-2026-7482, codenamed "Bleeding Llama," represents a critical shift in the threat landscape for AI infrastructure. With a CVSS score of 9.1, this out-of-bounds read vulnerability in Ollama—the popular open-source large language model (LLM) runner—allows remote, unauthenticated attackers to leak the entire process memory of the server.
For SOC analysts and CISOs, this is not just a standard buffer overflow. In the context of an LLM server, process memory often contains the most sensitive data an organization possesses: proprietary model weights, API keys, authentication tokens, and the raw text of confidential user prompts currently being processed. With an estimated 300,000+ servers potentially exposed globally, the attack surface is significant and immediate action is required.
Technical Analysis
Affected Products:
- Ollama (Versions prior to the patch released in May 2026). The vulnerability specifically impacts the API server component responsible for handling incoming model requests.
Vulnerability Details:
- CVE ID: CVE-2026-7482
- CVSS Score: 9.1 (Critical)
- Vulnerability Type: Out-of-Bounds Read (CWE-125)
- Codename: Bleeding Llama
Attack Chain:
- Reconnaissance: The attacker scans for Ollama instances, typically identifying them by the default open port 11434.
- Exploitation: The attacker sends a specially crafted HTTP request to the Ollama API endpoint. This request triggers the out-of-bounds read flaw.
- Memory Disclosure: The server responds with data from its memory space adjacent to the intended buffer. By manipulating the offset, an attacker can iterate through the memory space.
- Exfiltration: The attacker parses the dumped memory to extract secrets (keys, tokens) or sensitive prompt data.
Exploitation Status: Proof-of-concept (PoC) code has been released by researchers at Cyera. Given the ease of exploitation (no authentication required) and the high value of the target data, active scanning and exploitation attempts in the wild are expected to rise rapidly.
Detection & Response
Detecting this vulnerability requires identifying if Ollama is running and exposed to untrusted networks, as well as identifying suspicious retrieval patterns against the API. Since the exploit traffic looks like standard HTTP API traffic, signature-based detection is difficult. Defense relies heavily on asset discovery, network segmentation monitoring, and verifying service versions.
Sigma Rules
These rules focus on detecting network exposure to the default Ollama port and suspicious process execution patterns associated with the server component.
---
title: Potential Ollama Server Exposure to External Network
id: a4b2c8d1-6e3f-4a5b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects inbound network connections to the default Ollama API port (11434) from external sources, indicating potential exposure or probing.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-7482
author: Security Arsenal
date: 2026/05/13
tags:
- attack.initial_access
- attack.t1190
logsource:
category: network_connection
product: windows
# Note: Use linux/firewall logsource depending on data source availability
detection:
selection:
DestinationPort: 11434
Initiated: 'false' # Inbound connection
filter_localhost:
SourceIp|startswith:
- '127.'
- '10.'
- '192.168.'
- '172.16.'
- '172.17.'
- '172.18.'
- '172.19.'
- '172.20.'
- '172.21.'
- '172.22.'
- '172.23.'
- '172.24.'
- '172.25.'
- '172.26.'
- '172.27.'
- '172.28.'
- '172.29.'
- '172.30.'
- '172.31.'
- '::1'
condition: selection and not filter_localhost
falsepositives:
- Legitimate remote access to Ollama from known internal subnets or VPNs (tune filter_localhost accordingly)
level: high
---
title: Ollama Process Execution on Linux Endpoint
id: b5c3d9e2-7f4g-5b6c-0d1e-2f3g4a5b6c7d
status: experimental
description: Identifies the execution of the Ollama daemon process on Linux endpoints to assess inventory of potentially vulnerable assets.
references:
- https://ollama.com/
author: Security Arsenal
date: 2026/05/13
tags:
- attack.discovery
- attack.t1518
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/ollama'
CommandLine|contains: 'serve'
condition: selection
falsepositives:
- Administrator-managed Ollama servers
level: informational
KQL (Microsoft Sentinel / Defender)
This query hunts for inbound connections to the Ollama service port. It assumes network logs (Syslog/CEF or DeviceNetworkEvents) are being ingested.
// Hunt for connections to Ollama default port 11434
DeviceNetworkEvents
| where RemotePort == 11434
| where ActionType == "InboundConnectionAccepted" or ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, InitiatingProcessAccount, RemoteIP, RemotePort, LocalPort
| extend IsPrivateIP = iff(
tostring(RemoteIP) startswith "10." or
tostring(RemoteIP) startswith "192.168." or
tostring(RemoteIP) startswith "127." or
tostring(RemoteIP) startswith "172.16." or
tostring(RemoteIP) startswith "172.17." or
tostring(RemoteIP) startswith "172.18." or
tostring(RemoteIP) startswith "172.19." or
tostring(RemoteIP) startswith "172.20." or
tostring(RemoteIP) startswith "172.21." or
tostring(RemoteIP) startswith "172.22." or
tostring(RemoteIP) startswith "172.23." or
tostring(RemoteIP) startswith "172.24." or
tostring(RemoteIP) startswith "172.25." or
tostring(RemoteIP) startswith "172.26." or
tostring(RemoteIP) startswith "172.27." or
tostring(RemoteIP) startswith "172.28." or
tostring(RemoteIP) startswith "172.29." or
tostring(RemoteIP) startswith "172.30." or
tostring(RemoteIP) startswith "172.31.",
true, false)
| where IsPrivateIP == false // Focus on external connections
| summarize count() by DeviceName, RemoteIP
| order by count_ desc
Velociraptor VQL
This artifact hunts for Ollama processes and specifically checks if the service is listening on a non-loopback address (0.0.0.0), which indicates exposure to the network.
-- Hunt for Ollama processes and exposed network sockets
SELECT
P.Pid AS Pid,
P.Name AS ProcessName,
P.CommLine AS CommandLine,
F.Address AS ListeningAddress,
F.Port AS ListeningPort
FROM pslist() P
JOIN listen_sockets() F ON P.Pid = F.Pid
WHERE P.Name = "ollama" AND F.Port = 11434
-- Identify if listening on all interfaces (0.0.0.0) or specific external IPs
AND NOT (F.Address = "127.0.0.1" OR F.Address = "::1" OR F.Address = "[::1]")
Remediation Script (Bash)
Use this script on Linux servers to check for the presence of Ollama, determine if it is exposed, and verify the version against the patched release (assuming patched version is > 0.1.40). Note: Replace the PATCHED_VERSION variable with the specific secure version number provided in the official vendor advisory.
#!/bin/bash
# Remediation Script for CVE-2026-7482 (Bleeding Llama)
# Usage: sudo ./check_ollama.sh
PATCHED_VERSION="0.1.40" # UPDATE THIS WITH OFFICIAL PATCHED VERSION
VULNERABLE_PORT=11434
BINARY_NAME="ollama"
echo "[*] Checking for Ollama installation..."
if ! command -v $BINARY_NAME &> /dev/null; then
echo "[+] Ollama is not installed on this system."
exit 0
fi
echo "[!] Ollama is installed."
# Check Version
INSTALLED_VERSION=$(ollama --version | awk '{print $NF}')
echo "[*] Installed Version: $INSTALLED_VERSION"
# Check Network Exposure (Listening on 0.0.0.0 or specific external IPs)
echo "[*] Checking network exposure for port $VULNERABLE_PORT..."
# Using ss to check listening sockets. Excluding 127.0.0.1 and ::1
EXPOSED=$(ss -tulnp | grep ":$VULNERABLE_PORT" | grep -v "127.0.0.1" | grep -v "::1")
if [ -n "$EXPOSED" ]; then
echo "[!] ALERT: Ollama is listening on an external interface!"
echo "$EXPOSED"
else
echo "[+] Ollama appears to be listening only on localhost or is not running."
fi
# Version Check Logic (Simple string comparison, may need dpkg/rpm version compare for accuracy)
if [ "$INSTALLED_VERSION" \< "$PATCHED_VERSION" ]; then
echo "[!] CRITICAL: Ollama version $INSTALLED_VERSION is vulnerable to CVE-2026-7482."
echo "[*] Remediation Steps:"
echo " 1. Update Ollama immediately: curl -fsSL https://ollama.com/install.sh | sh"
echo " 2. Restart the service: systemctl restart ollama"
echo " 3. If update is not possible, stop the service and block port 11434 at the firewall."
else
echo "[+] Version $INSTALLED_VERSION appears to be patched."
fi
Remediation
1. Patch Immediately:
Update Ollama to the latest patched version released by the vendor to address CVE-2026-7482. This is the only definitive fix for the out-of-bounds read flaw.
- Official Advisory: Ollama Security Updates
2. Network Segmentation (Immediate Mitigation): If patching is delayed, restrict access to the Ollama API server immediately. The service should not be exposed to the public internet.
- Block inbound TCP port 11434 at the perimeter firewall.
- Configure the host firewall (iptables/ufw/firewalld) to allow connections only from specific management subnets or localhost.
3. Configuration Hardening:
Ensure Ollama binds specifically to 127.0.0.1 if remote access is not required by the application architecture. If remote access is required, place it behind a reverse proxy (e.g., Nginx, Traefik) with strong authentication (e.g., OAuth2, Basic Auth) to prevent unauthenticated access.
4. Credential Rotation: Because CVE-2026-7482 allows for arbitrary memory reads, assume that any API keys, session tokens, or secrets processed by the Ollama server prior to patching may have been compromised. Initiate credential rotation for any secrets utilized by the application.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.