CVE-2024-39720 Overview
CVE-2024-39720 is an out-of-bounds read vulnerability [CWE-125] affecting Ollama versions prior to 0.1.46. An attacker can send two HTTP requests to upload a malformed GGUF file containing only 4 bytes starting with the GGUF custom magic header. By referencing this attacker-controlled blob in a custom Modelfile through a FROM statement, the attacker triggers the CreateModel route and crashes the Ollama process with a segmentation fault (SIGSEGV). The flaw allows unauthenticated network-based denial of service against exposed Ollama instances used for large language model (LLM) inference.
Critical Impact
Unauthenticated remote attackers can crash Ollama servers through malformed GGUF model files, causing denial of service to LLM inference workloads.
Affected Products
- Ollama versions before 0.1.46
- Self-hosted Ollama deployments exposing the HTTP API
- Containerized Ollama services running vulnerable releases
Discovery Timeline
- 2024-10-31 - CVE-2024-39720 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-39720
Vulnerability Analysis
The vulnerability resides in the GGUF model file parser used by Ollama's CreateModel route. GGUF is the binary container format used to distribute quantized model weights for local inference. Ollama's parser inspects the file's magic header to determine format validity but fails to verify that the file contains enough bytes to satisfy subsequent read operations.
When the parser encounters a file containing only the 4-byte GGUF magic header, it proceeds to dereference data structures that were never populated. The read extends past the end of the mapped buffer, producing an out-of-bounds read condition that the Go runtime surfaces as a segmentation violation. The process terminates, dropping all in-flight inference requests.
The attack uses two sequential HTTP requests. The first uploads the malformed blob to the Ollama blob storage endpoint. The second submits a Modelfile referencing that blob through a FROM directive, which triggers parsing and the resulting crash.
Root Cause
The root cause is missing length validation in the GGUF header parsing logic. The code accepts any file beginning with the GGUF magic bytes as a candidate model file without confirming the presence of required header fields. This classifies the defect as [CWE-125] Out-of-bounds Read.
Attack Vector
Exploitation requires only network access to the Ollama HTTP API. No authentication, user interaction, or local privileges are needed. Any client able to reach the blob upload and CreateModel endpoints can trigger the crash. The Oligo Security research team documented the technique in their public analysis of Ollama vulnerabilities.
The vulnerability is described in the Oligo Security Blog Post and the patch is visible in the GitHub Version Comparison between v0.1.45 and v0.1.46.
Detection Methods for CVE-2024-39720
Indicators of Compromise
- Ollama process termination with signal SIGSEGV: segmentation violation entries in system or container logs
- Blob upload requests followed immediately by POST /api/create requests from the same client
- Uploaded blobs of unusually small size (4 bytes) beginning with the GGUF magic header
- Repeated unexpected restarts of the Ollama service or container
Detection Strategies
- Monitor Ollama API access logs for sequences of blob upload requests followed by CreateModel calls from unauthenticated sources
- Inspect uploaded model blobs for minimum expected size and valid GGUF structure before parsing
- Alert on segmentation fault crash signatures in process supervisor logs (systemd, Docker, Kubernetes)
Monitoring Recommendations
- Track Ollama service uptime and restart frequency through container orchestration metrics
- Forward Ollama HTTP access logs to a centralized log platform for correlation with crash events
- Establish baselines for normal Modelfile creation activity and alert on anomalous bursts
How to Mitigate CVE-2024-39720
Immediate Actions Required
- Upgrade Ollama to version 0.1.46 or later on all hosts and container images
- Restrict network exposure of the Ollama HTTP API to trusted clients using firewall or reverse proxy rules
- Place Ollama behind an authenticating proxy if remote access is required
- Audit existing model blobs and Modelfiles for unexpected entries created by unknown clients
Patch Information
The fix is included in Ollama 0.1.46. The patch adds length validation when parsing GGUF headers in the CreateModel path. Review the upstream change in the GitHub Version Comparison for the specific code modifications.
Workarounds
- Bind Ollama to localhost only by setting OLLAMA_HOST=127.0.0.1 when remote access is not required
- Deploy a reverse proxy enforcing authentication and request size limits in front of Ollama
- Use container network policies to restrict ingress to the Ollama API port
- Run Ollama under a process supervisor that automatically restarts the service after crashes to reduce downtime
# Configuration example: bind Ollama to localhost and restrict API exposure
export OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama
# Verify installed Ollama version is patched (>= 0.1.46)
ollama --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

