CVE-2026-7482: 'Bleeding Llama' Leaking Process Memory in Ollama
Just caught wind of this new disclosure regarding Ollama. Cyera has released details on "Bleeding Llama" (CVE-2026-7482), and it looks pretty nasty for anyone running exposed instances.
The Breakdown
- CVE ID: CVE-2026-7482
- CVSS Score: 9.1 (Critical)
- Impact: Out-of-bounds read allowing full process memory leak.
- Attack Vector: Remote, unauthenticated.
This isn't just about model weights. Since Ollama often handles inference with sensitive prompts or system prompts containing context, leaking process memory could expose API keys, internal prompts, or other data residing in the heap during runtime. With an estimated 300k+ servers potentially exposed, the blast radius is significant.
Mitigation & Detection
If you are hosting Ollama, ensure it isn't bound to 0.0.0.0 unless absolutely necessary. You can quickly check your exposure with:
ss -tulpn | grep :11434
For those running it in Docker, make sure you're mapping ports correctly to 127.0.0.1 only.
I've thrown together a quick Python snippet to help teams check if their specific version falls within the vulnerable range defined in the advisory (assuming versions < 0.1.35 are impacted for this example):
import subprocess
def check_ollama_version():
try:
result = subprocess.run(['ollama', '--version'], capture_output=True, text=True)
version = result.stdout.strip().split(' ')[1]
# Example check logic - replace with actual vulnerable versions from advisory
if version < "0.1.35":
print(f"Vulnerable version detected: {version}")
else:
print(f"Version {version} appears safe.")
except FileNotFoundError:
print("Ollama not found.")
if __name__ == "__main__":
check_ollama_version()
Given the rise of local LLM deployment in dev environments, are we seeing too many of these services exposed by default on public IPs?
Good catch on the ss command. We actually caught a few instances during a scan this morning using Shodan queries for port:11434. The amount of people exposing their local AI stack directly to the internet is staggering. I'd recommend throwing a reverse proxy like Nginx in front of it with basic auth or IP whitelisting immediately.
From a pentester perspective, this memory leak is gold. Process memory often holds the context window data. If someone is pasting code snippets or proprietary config files into the chat, this vulnerability dumps that raw data without needing to mess with prompt injection. Patch this ASAP, folks.
Does anyone know if the latest Docker tag :latest has been patched yet? I checked the GitHub repo but the release notes are vague on the specific commit for the OOB fix. I'm holding off on redeploying our internal dev cluster until I can confirm the fix is in the image layer.
For those using Docker, since the release notes are vague, verify the image creation date to ensure :latest actually pulled the fix. Run this to check when your image was built:
docker inspect ollama/ollama:latest | grep Created
If the timestamp predates the disclosure, force a pull with `docker pull ollama/ollama:latest --no-cache`. Don't trust the tag blindly right now.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access