Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39720

CVE-2024-39720: Ollama Denial of Service Vulnerability

CVE-2024-39720 is a denial of service vulnerability in Ollama allowing attackers to crash the application via a malformed GGUF file. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2024-39720 Overview

CVE-2024-39720 is an out-of-bounds read vulnerability [CWE-125] affecting Ollama versions prior to 0.1.46. An attacker can send two HTTP requests to upload a malformed GGUF file containing only 4 bytes starting with the GGUF custom magic header. By referencing this attacker-controlled blob in a custom Modelfile through a FROM statement, the attacker triggers the CreateModel route and crashes the Ollama process with a segmentation fault (SIGSEGV). The flaw allows unauthenticated network-based denial of service against exposed Ollama instances used for large language model (LLM) inference.

Critical Impact

Unauthenticated remote attackers can crash Ollama servers through malformed GGUF model files, causing denial of service to LLM inference workloads.

Affected Products

  • Ollama versions before 0.1.46
  • Self-hosted Ollama deployments exposing the HTTP API
  • Containerized Ollama services running vulnerable releases

Discovery Timeline

  • 2024-10-31 - CVE-2024-39720 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39720

Vulnerability Analysis

The vulnerability resides in the GGUF model file parser used by Ollama's CreateModel route. GGUF is the binary container format used to distribute quantized model weights for local inference. Ollama's parser inspects the file's magic header to determine format validity but fails to verify that the file contains enough bytes to satisfy subsequent read operations.

When the parser encounters a file containing only the 4-byte GGUF magic header, it proceeds to dereference data structures that were never populated. The read extends past the end of the mapped buffer, producing an out-of-bounds read condition that the Go runtime surfaces as a segmentation violation. The process terminates, dropping all in-flight inference requests.

The attack uses two sequential HTTP requests. The first uploads the malformed blob to the Ollama blob storage endpoint. The second submits a Modelfile referencing that blob through a FROM directive, which triggers parsing and the resulting crash.

Root Cause

The root cause is missing length validation in the GGUF header parsing logic. The code accepts any file beginning with the GGUF magic bytes as a candidate model file without confirming the presence of required header fields. This classifies the defect as [CWE-125] Out-of-bounds Read.

Attack Vector

Exploitation requires only network access to the Ollama HTTP API. No authentication, user interaction, or local privileges are needed. Any client able to reach the blob upload and CreateModel endpoints can trigger the crash. The Oligo Security research team documented the technique in their public analysis of Ollama vulnerabilities.

The vulnerability is described in the Oligo Security Blog Post and the patch is visible in the GitHub Version Comparison between v0.1.45 and v0.1.46.

Detection Methods for CVE-2024-39720

Indicators of Compromise

  • Ollama process termination with signal SIGSEGV: segmentation violation entries in system or container logs
  • Blob upload requests followed immediately by POST /api/create requests from the same client
  • Uploaded blobs of unusually small size (4 bytes) beginning with the GGUF magic header
  • Repeated unexpected restarts of the Ollama service or container

Detection Strategies

  • Monitor Ollama API access logs for sequences of blob upload requests followed by CreateModel calls from unauthenticated sources
  • Inspect uploaded model blobs for minimum expected size and valid GGUF structure before parsing
  • Alert on segmentation fault crash signatures in process supervisor logs (systemd, Docker, Kubernetes)

Monitoring Recommendations

  • Track Ollama service uptime and restart frequency through container orchestration metrics
  • Forward Ollama HTTP access logs to a centralized log platform for correlation with crash events
  • Establish baselines for normal Modelfile creation activity and alert on anomalous bursts

How to Mitigate CVE-2024-39720

Immediate Actions Required

  • Upgrade Ollama to version 0.1.46 or later on all hosts and container images
  • Restrict network exposure of the Ollama HTTP API to trusted clients using firewall or reverse proxy rules
  • Place Ollama behind an authenticating proxy if remote access is required
  • Audit existing model blobs and Modelfiles for unexpected entries created by unknown clients

Patch Information

The fix is included in Ollama 0.1.46. The patch adds length validation when parsing GGUF headers in the CreateModel path. Review the upstream change in the GitHub Version Comparison for the specific code modifications.

Workarounds

  • Bind Ollama to localhost only by setting OLLAMA_HOST=127.0.0.1 when remote access is not required
  • Deploy a reverse proxy enforcing authentication and request size limits in front of Ollama
  • Use container network policies to restrict ingress to the Ollama API port
  • Run Ollama under a process supervisor that automatically restarts the service after crashes to reduce downtime
bash
# Configuration example: bind Ollama to localhost and restrict API exposure
export OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama

# Verify installed Ollama version is patched (>= 0.1.46)
ollama --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.