Critical security vulnerabilities discovered in Ollama, one of GitHub’s most popular open-source projects with over 155,000 stars, could allow attackers to execute arbitrary code on vulnerable systems.
The flaws affect Ollama versions before 0.7.0, putting countless AI enthusiasts and developers who use the platform to run large language models locally at risk.
Understanding the Vulnerability
Security researchers uncovered a critical Out-Of-Bounds Write vulnerability in Ollama that occurs when it parses malicious model files.
The vulnerability exists in code that handles GGUF files, a binary format used to store model metadata and weights.
Attackers with access to Ollama’s API can exploit this by loading specially crafted model files, leading to remote code execution.
The vulnerability was confirmed as exploitable in builds without Position Independent Executable configuration.
However, researchers believe it could also be exploited in PIE-enabled builds, including official releases. Users are strongly urged to update immediately.
Ollama’s architecture combines Go, C, and C++, with compute-intensive tasks like inference handled by C/C++ code.
The platform implements a client-server model where the server spawns runner processes to handle model inference.
During this process, Ollama must parse and load models from disk, creating an opportunity for attackers to inject malicious code.
The specific vulnerability involves unsafe handling of model metadata during the parsing of MLLAMA models, a multi-modal version of the Llama family.
The code reads metadata from model files without properly validating array bounds, creating an Out-Of-Bounds Write condition.
Since attackers can control model files, this metadata should be treated as untrusted data, but Ollama failed to implement adequate validation.
Exploitation and Impact
Researchers developed a proof-of-concept demonstrating how attackers could craft malicious model files containing specially designed metadata.
These files exploit the vulnerability to flip arbitrary memory bits, potentially overwriting function pointers and redirecting code execution.
The attack becomes particularly dangerous when targeting NULL function pointers in memory structures, allowing attackers to call arbitrary addresses.
Through sophisticated Return-Oriented Programming techniques, attackers can redirect system functions to dangerous operations, enabling execution of arbitrary commands.
An attacker could take complete control of the system by simply loading a malicious model file.
In a remarkable turn of events, Ollama maintainers inadvertently fixed the vulnerability two days before researchers reported it.
The team rewrote the vulnerable mllama model handling code from C++ to Go, eliminating the dangerous code path. This highlights the security benefits of memory-safe programming languages.
Users should immediately update Ollama to version 0.7.0 or later to protect against this vulnerability.
Organizations using Ollama should review their API access controls to ensure only trusted users can load models, adding a security layer.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.