The Bleeding Llama vulnerability (CVE-2026-7482) is a heap out-of-bounds read issue in the Ollama open source LLM inference engine, specifically in the GGUF model loader component. An attacker can supply a crafted GGUF file with declared tensor offsets and sizes exceeding the file length, causing the loader to read memory beyond the allocated heap buffer. This memory may contain sensitive information such as environment variables, API keys, tokens, prompts, and messages. The attacker can then use Ollama's built-in model push feature to exfiltrate this data to a remote server. The attack requires no authentication and only three API calls. Ollama deployments commonly run without authentication and listen on all network interfaces, leaving approximately 300,000 internet-accessible instances vulnerable. The issue was addressed in Ollama version 0.17.1.

Successful exploitation can lead to theft of sensitive information stored in memory, including API keys, tokens, environment variables, prompts, messages, and potentially personally identifiable information (PII) or protected health information (PHI). This exposure can compromise employee interactions, development code, and routed tool outputs. Because the vulnerability requires no authentication and many Ollama instances are internet-exposed, the risk of widespread data leakage is significant.

A fix for this vulnerability is available in Ollama version 0.17.1. Organizations should update to this version immediately. Additionally, it is recommended to restrict network access to Ollama deployments by deploying authentication proxies and firewalls, and to audit existing instances for internet exposure. Any instance accessible from the internet should be considered compromised until remediated. Network segmentation and limiting exposure reduce the attack surface.