CVE-2024-12055 Overview
CVE-2024-12055 is an out-of-bounds read vulnerability in Ollama versions <=0.3.14. The flaw resides in the gguf.go file, which parses GGUF model files uploaded to the server. A remote attacker can craft a malicious GGUF model file and upload it to a public Ollama server. When the server processes the file, it reads memory outside the intended buffer boundary and crashes. This results in a Denial of Service (DoS) condition against the Ollama service. The vulnerability requires no authentication and no user interaction, making it accessible to any attacker who can reach the Ollama API.
Critical Impact
Remote unauthenticated attackers can crash Ollama servers by uploading a crafted GGUF model file, disrupting AI inference workloads.
Affected Products
- Ollama versions <=0.3.14
- Public Ollama servers accepting model uploads
- Self-hosted Ollama deployments exposing the model API
Discovery Timeline
- 2025-03-20 - CVE-2024-12055 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-12055
Vulnerability Analysis
The vulnerability is classified as an out-of-bounds read [CWE-125] in the GGUF model parsing logic. GGUF (GPT-Generated Unified Format) is the binary format Ollama uses to load large language model weights and metadata. When Ollama deserializes a GGUF file, it reads header fields, tensor descriptors, and metadata key-value pairs from the input stream. The parser in gguf.go does not adequately validate length or offset values supplied by the file before accessing the underlying byte buffer.
An attacker who controls the file contents can specify values that cause the parser to read past the end of an allocated structure. The Go runtime detects the invalid memory access and terminates the process, taking the inference service offline. Because Ollama is typically deployed as a long-running daemon serving multiple clients, a single malformed upload disrupts service for all users.
Root Cause
The root cause is missing bounds validation in gguf.go during model file deserialization. Length and offset fields drawn from attacker-controlled input are used to index into buffers without first verifying that the computed positions fall within valid memory regions. The CWE-125 classification confirms the issue is a read-side boundary violation rather than a write-side corruption.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker submits a malicious GGUF file through the standard Ollama model upload or load interface. The server attempts to parse the file, triggers the out-of-bounds read, and crashes. The vulnerability manifests during file parsing in gguf.go. See the Huntr Bounty Report for technical details on the malformed field that triggers the read.
Detection Methods for CVE-2024-12055
Indicators of Compromise
- Unexpected Ollama process termination or repeated daemon restarts after model uploads
- GGUF files received from untrusted sources with anomalous header lengths or tensor metadata sizes
- API requests to model load or push endpoints originating from unknown external IP addresses
Detection Strategies
- Monitor Ollama process exit codes and crash logs for signatures consistent with Go runtime panics in gguf.go
- Inspect inbound GGUF uploads at a network proxy and flag files whose declared metadata or tensor offsets exceed file size
- Correlate model upload events with service availability metrics to identify upload-induced outages
Monitoring Recommendations
- Enable verbose logging on the Ollama daemon and forward logs to a centralized SIEM for crash pattern analysis
- Track request rates and source IPs on /api/create, /api/push, and model-loading endpoints
- Alert on repeated daemon restarts within short time windows, which indicate exploitation attempts
How to Mitigate CVE-2024-12055
Immediate Actions Required
- Upgrade Ollama to a version later than 0.3.14 that includes the parser bounds check
- Restrict network access to the Ollama API so only trusted clients can upload models
- Disable anonymous model upload functionality on internet-facing Ollama deployments
- Place Ollama behind an authenticated reverse proxy enforcing request size and rate limits
Patch Information
Upgrade to an Ollama release greater than 0.3.14. The fix adds boundary validation in gguf.go so length and offset fields are checked against the file size before buffer access. Review the Huntr Bounty Report for the upstream fix reference.
Workarounds
- Block uploads from untrusted networks using firewall or ingress rules until patching is complete
- Run Ollama under a process supervisor such as systemd with automatic restart to reduce downtime from crashes
- Validate GGUF files against expected size and metadata constraints at an upstream proxy before forwarding to Ollama
# Restrict Ollama API exposure to localhost and upgrade
sudo systemctl stop ollama
export OLLAMA_HOST=127.0.0.1:11434
curl -fsSL https://ollama.com/install.sh | sh
ollama --version # verify version > 0.3.14
sudo systemctl start ollama
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

