Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file …

Ollama before version 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts maliciously crafted GGUF files where declared tensor offset and size exceed file length. During quantization, the server reads past allocated heap buffer boundaries. Leaked memory may contain sensitive data including environment variables, API keys, system prompts, and user conversation data. Attackers can exfiltrate this data by uploading resulting model artifacts through the /api/push endpoint. Both endpoints lack authentication in upstream distribution. While default deployments bind to localhost, the OLLAMA_HOST=0.0.0.0 configuration is widely used, creating significant public internet exposure.