Product context
Product: Ollama
Function: Local and server-based runtime for large language models
Primary Use Case: Model creation, import, and inference using GGUF model files
Typical Deployment: Desktop systems, servers, containers, CI/CD pipelines
Exposure: Often bound to localhost but commonly exposed through reverse proxies or APIs
Ollama processes GGUF model files during model creation and loading. Both vulnerabilities described below stem from improper validation of GGUF metadata and result in service crashes when malformed input is parsed.
Consolidated CVE summary
| CVE Name | CVE ID | CVSS Score | Severity | Vulnerability Type | Impact |
|---|---|---|---|---|---|
| Ollama GGUF Decoder Input Validation Failure | CVE-2025-66959 | Not officially assigned | Medium–High | Improper Input Validation | Remote Denial of Service |
| Ollama GGUF v1 String Length Validation Failure | CVE-2025-66960 | Estimated 7.5 | High | Improper Input Validation | Remote Denial of Service |
CVE-2025-66959 — Detailed vulnerability information
Vulnerability description
A denial-of-service vulnerability exists in Ollama’s GGUF model decoding logic. During the parsing of GGUF metadata, length and index values are read directly from the model file and used internally without sufficient validation. When a crafted or malformed GGUF file is processed, these unchecked values cause invalid slice operations in the Go runtime.
As a result, the Ollama process encounters a runtime panic and terminates unexpectedly, leading to immediate service unavailability.
Root cause
The GGUF decoder relies on metadata fields embedded in the model file to determine memory allocation sizes and slice boundaries. These fields are treated as trusted input. When malicious or malformed values are supplied, memory allocation attempts exceed valid limits or reference invalid indices.
The Go runtime enforces memory safety by terminating the process when such conditions occur. No recovery or exception handling mechanism is implemented in this code path, causing a full service crash.
Attack vector and exploitation flow
The vulnerability can be triggered when Ollama processes a malicious GGUF file. This may occur through multiple operational paths:
- Manual model creation using a local GGUF file
- Remote model pulls initiated through API calls
- Automated pipelines that import models without validation
- Shared environments where model storage is writable by multiple users
Once the malicious file is parsed, the crash occurs immediately. No authentication bypass or elevated privileges are required beyond the ability to supply or influence the model file being loaded.
Impact assessment
- Immediate termination of the Ollama service
- Loss of availability for all inference requests
- Interruption of model loading and management operations
- Repeated exploitation can result in persistent service outage
The vulnerability affects availability only; confidentiality and integrity are not directly impacted.
Exploitability and PoC status (educational)
Educational proof-of-concept demonstrations exist that show how malformed GGUF metadata can reliably crash the service. These demonstrations focus on manipulating metadata length fields to trigger runtime panics.
No advanced exploitation techniques are required. The attack is deterministic and repeatable. All publicly discussed PoCs are intended for defensive testing and research purposes only.
MITRE classification
- CWE-20: Improper Input Validation
- Impact Category: Denial of Service (Availability)
- Attack Vector: External input via model ingestion
Detection and monitoring guidance
Primary indicators
- Runtime panic messages generated by the Ollama process
- Stack traces referencing GGUF parsing functions
- Unexpected service exits during or immediately after model ingestion
Log sources to monitor
- Ollama application logs (stdout / stderr)
- Systemd or service manager logs
- Container runtime logs
- Reverse proxy and API gateway logs
- Host-based process monitoring tools
SIEM detection rules
Splunk
index=application_logs process_name="ollama"
("panic: runtime error" OR "index out of range" OR "makeslice: len out of range")
| stats count by host
| where count >= 1
Elastic / OpenSearch (KQL)
process.name : "ollama" and
(message : "panic: runtime error" or
message : "makeslice: len out of range" or
message : "GGUF")
QRadar (AQL)
SELECT hostname, COUNT(*)
FROM events
WHERE processname = 'ollama'
AND UTF8(payload) ILIKE '%panic%'
GROUP BY hostname
HAVING COUNT(*) > 0
Mitigation and remediation
Immediate mitigations
- Restrict model ingestion to trusted users and sources
- Disable automatic model pulls from untrusted locations
- Run Ollama behind an authenticated reverse proxy
- Monitor for repeated crashes or panic messages
Permanent remediation
The vulnerability is resolved by upgrading to a patched version of Ollama that enforces strict bounds checking during GGUF parsing.
Official patch / upgrade link:
👉 https://github.com/ollama/ollama/releases
CVE-2025-66960 — Detailed vulnerability information
Vulnerability description
A denial-of-service vulnerability exists in Ollama’s GGUF v1 string parsing logic. When string values are read from GGUF metadata, the associated length fields are used directly to allocate memory. Insufficient validation of these values allows malformed metadata to trigger invalid memory allocation attempts.
This condition results in a Go runtime panic, causing the Ollama process to terminate.
Root cause
The GGUF v1 string parsing function does not enforce upper or lower bounds on string length values. When attacker-controlled metadata specifies excessively large or invalid lengths, the Go runtime aborts execution during slice allocation.
The absence of defensive checks or panic recovery causes a complete service crash.
Exploitation mechanics
Exploitation requires the ability to introduce a crafted GGUF file into the model ingestion workflow. This may occur through:
- Local model creation commands
- Remote API-based model pulls
- Automated or unattended model update pipelines
The crash occurs during metadata parsing, prior to model execution or inference.
Impact
- Immediate denial of service
- Loss of availability for all hosted models
- Service restart required for recovery
- High operational risk in automated environments
Exploitability and PoC status (educational)
Educational demonstrations exist showing controlled service crashes using malformed GGUF v1 metadata. These PoCs validate the issue without enabling further exploitation and are intended solely for defensive validation.
MITRE classification
- CWE-20: Improper Input Validation
- Impact Category: Denial of Service (Availability)
Detection and response
Detection techniques for this vulnerability are identical to CVE-2025-66959. The same log sources, indicators, and SIEM rules apply, with particular attention to panic messages referencing GGUF v1 string parsing.
Final risk summary
Both vulnerabilities stem from insufficient validation of untrusted model metadata. While no code execution is possible, the reliability and simplicity of the denial-of-service condition make these issues operationally significant, particularly in shared, exposed, or automated environments.
Final recommendation
All Ollama deployments should be upgraded to a patched release as soon as possible. Until patched, model ingestion should be treated as a high-risk operation and restricted accordingly.
Official patch / upgrade link:
👉 https://github.com/ollama/ollama/releases
