A new CERT advisory reveals that uploading a malicious GGUF file to any exposed Ollama instance can silently exfiltrate the server’s heap memory — without authentication.
Running LLMs locally has become routine for many developers. Ollama made it trivially easy: one command, a model running on your machine, an API on port 11434. That simplicity, however, has a shadow — and a new CERT advisory published on April 22nd makes it very hard to ignore.
CVE-2026-5757 is a critical unauthenticated remote information disclosure vulnerability in Ollama’s model quantization engine. An attacker who can reach your instance’s model upload interface needs no credentials, needs to exploit no race condition, and doesn’t need to be particularly sophisticated. Upload a maliciously crafted GGUF file, trigger quantization, and the server hands over chunks of its own heap memory — potentially including API keys, tokens, conversation history, or anything else that happened to be in memory at that moment.
How It Works
The root cause is a combination of three design gaps in the quantization pipeline:
1. No bounds checking on tensor metadata. The quantization engine reads element counts from the GGUF file header and accepts them without validating them against the actual size of the data sent.
2. Unsafe memory access via Go’s unsafe.Slice. An attacker-controlled element count creates a memory slice that extends far beyond the legitimate data buffer — and into the application’s heap.
3. An inadvertent exfiltration path. The out-of-bounds heap data gets processed and written into a new model layer. Then Ollama’s own registry API can push that layer to an attacker-controlled server. The tool exfiltrates the memory for you.
It’s not a theoretical attack chain. It’s three mundane engineering decisions that, combined, turn a local AI tool into a memory leak with built-in exfiltration plumbing.
Who’s Actually at Risk
Ollama’s official documentation states that the tool is designed for local use and recommends not exposing it to untrusted networks. In practice, a significant portion of real deployments ignores this. Developers running Ollama on cloud VMs, CI/CD pipelines, shared homelab servers, or Docker containers with exposed ports are all potentially reachable. The /api/push endpoint — the exfiltration path — requires no authentication by default, just like most of Ollama’s API surface.
This isn’t new territory for Ollama. CVE-2025-63389 (CVSS 9.8, December 2025) documented that all major API endpoints — /api/tags, /api/copy, /api/delete, /api/generate, /api/chat — require no authentication. CVE-2026-5757 stacks an active exfiltration mechanism on top of that preexisting exposure.
The Harder Conversation
The ecosystem of local LLM runtimes — Ollama, LM Studio, and similar tools — was built for developer convenience, not adversarial environments. That was a reasonable design decision when these tools lived on laptops. It becomes a liability the moment they touch any network shared with untrusted parties.
As AI workloads migrate to shared infrastructure — team servers, staging environments, CI workers, managed GPU instances — the threat model changes. A tool that was “fine on my MacBook” isn’t automatically fine in a Docker container with a public IP.
At the time of writing, no patch is available. The CERT advisory notes that the vendor could not be reached for coordinated disclosure. The researcher who found the issue, Jeremy Brown, discovered it using AI-assisted vulnerability research — a detail worth noting, because it signals that the pace of vulnerability discovery in this space is accelerating.
What to Do Right Now
Check your firewall. Port 11434 shouldn’t be accessible from untrusted networks. On Linux: sudo ufw deny 11434. On cloud providers, review your security group rules.
Disable model loading if you don’t need it. The attack requires access to the model upload interface. If your deployment doesn’t need to accept models submitted by users, restrict or disable that endpoint.
Audit your deployment assumptions. If Ollama is running in a container, on a VM, or in a CI pipeline — map out what’s accessible and from where.
Watch the Ollama repository for patches. The repo is at GitHub - ollama/ollama: Get up and running with Kimi-K2.5, GLM-5, MiniMax, DeepSeek, gpt-oss, Qwen, Gemma and other models. · GitHub. Subscribe to releases.
Don’t run Ollama with elevated privileges if you can help it. A memory leak in a process running as root is significantly worse than one running as an unprivileged user.
For LatAm teams in particular: many developers in the region run Ollama on shared VPS instances or low-cost cloud VMs where firewall configuration often gets skipped for convenience. Verify your setup before assuming you’re protected.