A critical, unpatched vulnerability has been discovered in Ollama, a widely used open-source platform for running Large Language Models locally.

Tracked as CVE-2026-5757, this severe memory leak allows unauthenticated remote attackers to extract sensitive data directly from a server’s heap.

Discovered by security researcher Jeremy Brown via AI-assisted vulnerability research and disclosed publicly on April 22, 2026, the exploit targets the platform’s model upload interface.

Because the developers have not yet released a software update, administrators must actively secure their deployments to prevent unauthorized access.

AI Model Quantization Risks

Ollama is designed to help developers run resource-intensive AI models on standard hardware across Windows, macOS, and Linux.

To make this possible, the platform relies on a compression technique called model quantization, which reduces the AI model’s mathematical precision to save memory and processing power.

While highly efficient, Ollama’s quantization engine has a fatal flaw in how it handles incoming file uploads. Hackers can exploit this process by deliberately manipulating the metadata hidden inside the model files.

The attack begins when a malicious actor uploads a specially crafted GPT-Generated Unified Format (GGUF) file to the targeted server.

This upload triggers a dangerous combination of three distinct software failures that expose memory.

• The engine skips proper bounds checking by unthinkingly trusting the file’s metadata rather than verifying that the stated element count matches the actual data size.
• The system executes unsafe memory access using Go’s unsafe. Slice command, allowing the application to read memory far past the legitimate data buffer and into the server’s backend heap.
• The server inadvertently writes this leaked heap data into a new model layer, creating a hidden but highly effective data exfiltration path.
• The attacker utilizes Ollama’s built-in registry API to easily push this newly created, data-filled layer to their own external server.

Heap memory can contain highly sensitive system information, including encryption keys, user credentials, API tokens, and private user prompts.

Exposing this data can lead to complete system compromise and allow attackers to establish stealthy, long-term persistence within a corporate network.

Since the vendor was unreachable during the disclosure process, no official software patch exists to fix the underlying code flaw.

According to CERT/CC, security teams must rely on immediate defensive mitigations to protect their infrastructure.

• Turn off the model upload functionality entirely if it is not strictly required for your daily operations.
• Restrict upload interface access to trusted local networks and actively block all untrusted external IP addresses.
• Accept model uploads exclusively from verified, highly trusted sources to prevent malicious files from entering your pipeline.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.