CVE-2024-39720
📋 TL;DR
This vulnerability allows attackers to crash Ollama servers by uploading a specially crafted GGUF file and triggering a segmentation fault through the CreateModel route. All Ollama instances running vulnerable versions are affected, particularly those exposed to untrusted users who can upload model files.
💻 Affected Systems
- Ollama
📦 What is this software?
Ollama by Ollama
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through application crashes, potentially disrupting AI model serving capabilities and requiring manual restart of Ollama services.
Likely Case
Service disruption through application crashes when malicious users upload crafted model files, leading to intermittent availability issues.
If Mitigated
Minimal impact with proper access controls and network segmentation limiting who can interact with the Ollama API.
🎯 Exploit Status
Exploit requires two HTTP requests: one to upload malformed GGUF file, another to trigger via CreateModel route. Technical details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.46
Vendor Advisory: https://github.com/ollama/ollama/compare/v0.1.45...v0.1.46
Restart Required: Yes
Instructions:
1. Stop Ollama service. 2. Update to version 0.1.46 or later using your package manager or direct download. 3. Restart Ollama service.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Ollama API endpoints to trusted sources only
# Example using iptables: iptables -A INPUT -p tcp --dport 11434 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 11434 -j DROP
API Authentication
allImplement authentication or API gateway in front of Ollama to control access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Ollama instances from untrusted networks
- Deploy web application firewall (WAF) rules to block malformed GGUF file uploads and suspicious CreateModel requests
🔍 How to Verify
Check if Vulnerable:
Check Ollama version: ollama --version. If version is below 0.1.46, system is vulnerable.Check Version:
ollama --versionVerify Fix Applied:
After updating, verify version is 0.1.46 or higher: ollama --version📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in logs
- Unexpected application crashes
- Multiple failed model creation attempts
- Uploads of very small GGUF files (4 bytes)
Network Indicators:
- HTTP POST requests to /api/create followed by service unavailability
- Uploads to blob storage endpoints with minimal payloads
SIEM Query:
source="ollama.log" AND ("segmentation fault" OR "SIGSEGV" OR "panic")