ollama 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は バッファオーバーフロー、vendor risk input validation, and vendor risk memory corruption に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で アプリケーションクラッシュ and vendor impact memory corruption などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-7482 | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and c | abd028dc-c042-4c4d-9749-38d0f850af89 | 8.8 | 0.03% | 2026-05-04 | 2026-05-11 |
| CVE-2026-42249 | Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can infl | [email protected] | 7.7 | 0.27% | 2026-04-29 | 2026-05-18 |
| CVE-2026-42248 | Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the mali | [email protected] | 7.7 | 0.01% | 2026-04-29 | 2026-05-18 |
| CVE-2026-7020 | A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early abo | [email protected] | 2.9 | 0.07% | 2026-04-26 | 2026-05-06 |
| CVE-2025-66960 | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata | [email protected] | 7.5 | 0.62% | 2026-01-21 | 2026-02-02 |
| CVE-2025-66959 | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder | [email protected] | 7.5 | 0.62% | 2026-01-21 | 2026-02-02 |
| CVE-2025-15514 | Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointe | [email protected] | 8.7 | 0.07% | 2026-01-12 | 2026-01-21 |
| CVE-2025-63389 | A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations. | [email protected] | 9.8 | 0.15% | 2025-12-18 | 2026-01-22 |
| CVE-2025-44779 | An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. | [email protected] | 6.6 | 0.08% | 2025-08-07 | 2025-08-14 |
| CVE-2025-51471 | Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | [email protected] | 6.9 | 0.06% | 2025-07-22 | 2025-10-17 |
| CVE-2025-1975 | A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull endpoint, which can lead to a server crash. | [email protected] | 7.5 | 0.50% | 2025-05-16 | 2025-06-24 |
| CVE-2025-0317 | A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash and resulting in a Denial of Service (DoS) attack. | [email protected] | 7.5 | 2.09% | 2025-03-20 | 2025-04-02 |
| CVE-2025-0315 | A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack. | [email protected] | 7.5 | 0.12% | 2025-03-20 | 2025-04-02 |
| CVE-2025-0312 | A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS) attack via remote network. | [email protected] | 7.5 | 0.14% | 2025-03-20 | 2025-03-28 |
| CVE-2024-8063 | A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it to crash. | [email protected] | 7.5 | 0.07% | 2025-03-20 | 2025-05-13 |
| CVE-2024-12055 | A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of the issue is an out-of-bounds read in the gguf.go file. | [email protected] | 7.5 | 0.06% | 2025-03-20 | 2025-05-13 |
| CVE-2024-39722 | An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route. | [email protected] | 7.5 | 62.17% | 2024-10-31 | 2025-05-13 |
| CVE-2024-39721 | An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until completion. The req.Path parameter is user-controlled and can be set to /dev/random, which is blocking, causing the goroutine to run infinitely (even after the HTTP request is aborted by the client). | [email protected] | 7.5 | 0.21% | 2024-10-31 | 2025-05-13 |
| CVE-2024-39720 | An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-controlled blob file, the attacker can crash the application through the CreateModel route, leading to a segmentation fault (signal SIGSEGV: segmentation violation). | [email protected] | 8.2 | 0.25% | 2024-10-31 | 2025-05-13 |
| CVE-2024-39719 | An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the server. | [email protected] | 7.5 | 44.51% | 2024-10-31 | 2025-05-13 |