CVE-2024-39720 — HIGH (CVSS 8.2) AI Security Vulnerability

CISO Take

Any internet-exposed Ollama instance running below 0.1.46 can be crashed with two unauthenticated HTTP requests — no credentials, no prior access needed. The CVSS C:L score hints at a potential partial memory disclosure beyond pure DoS, warranting urgent patching. Patch immediately to 0.1.46+ or, at minimum, bind Ollama to localhost and firewall the port.

Risk Assessment

High risk. The combination of no authentication requirement, low attack complexity, and network-reachable attack vector makes this trivially weaponizable. Ollama defaults to listening on all interfaces in many deployment guides, meaning developer workstations, internal MLOps platforms, and cloud-hosted inference nodes are commonly exposed. The out-of-bounds read (CWE-125) in a parser that processes attacker-supplied binary data is a class of vulnerability historically associated with escalation to RCE; the current confirmed impact is crash/DoS, but memory disclosure cannot be ruled out without deeper analysis.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
170.6K 1.4K dependents Pushed 6d ago 5% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

8.2 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 57% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A High

Recommended Action

5 steps

Patch immediately

Upgrade to Ollama 0.1.46 or later — the fix is available and the diff is public.
Network isolation (if patching is delayed): Bind Ollama to 127.0.0.1 only (OLLAMA_HOST=127.0.0.1); never expose port 11434 directly to the internet or untrusted networks.
Reverse proxy with authentication

Place Ollama behind a proxy (nginx, Caddy) that enforces authentication before any API access.
Detection

Alert on SIGSEGV/crash signals in Ollama process logs; monitor for unusual POST requests to /api/blobs/ followed by /api/create from unexpected sources.
Inventory

Audit all internal deployments — Ollama is commonly spun up ad-hoc by developers and may exist outside formal asset tracking.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Code Execution Inference Framework AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.2 - AI system security and resilience

NIST AI RMF

MANAGE-2.4 - Residual risks are managed

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-39720?

Any internet-exposed Ollama instance running below 0.1.46 can be crashed with two unauthenticated HTTP requests — no credentials, no prior access needed. The CVSS C:L score hints at a potential partial memory disclosure beyond pure DoS, warranting urgent patching. Patch immediately to 0.1.46+ or, at minimum, bind Ollama to localhost and firewall the port.

Is CVE-2024-39720 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39720, increasing the risk of exploitation.

How to fix CVE-2024-39720?

1. **Patch immediately**: Upgrade to Ollama 0.1.46 or later — the fix is available and the diff is public. 2. **Network isolation** (if patching is delayed): Bind Ollama to 127.0.0.1 only (`OLLAMA_HOST=127.0.0.1`); never expose port 11434 directly to the internet or untrusted networks. 3. **Reverse proxy with authentication**: Place Ollama behind a proxy (nginx, Caddy) that enforces authentication before any API access. 4. **Detection**: Alert on SIGSEGV/crash signals in Ollama process logs; monitor for unusual POST requests to `/api/blobs/` followed by `/api/create` from unexpected sources. 5. **Inventory**: Audit all internal deployments — Ollama is commonly spun up ad-hoc by developers and may exist outside formal asset tracking.

What systems are affected by CVE-2024-39720?

This vulnerability affects the following AI/ML architecture patterns: local LLM inference, model serving, self-hosted AI infrastructure, developer AI workstations, on-premise MLOps platforms.

What is the CVSS score for CVE-2024-39720?

CVE-2024-39720 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.34%.

Technical Details

NVD Description

An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-controlled blob file, the attacker can crash the application through the CreateModel route, leading to a segmentation fault (signal SIGSEGV: segmentation violation).

Exploitation Scenario

An attacker discovers an exposed Ollama API (port 11434) via Shodan or internal network scan. They send two HTTP requests: (1) `POST /api/blobs/sha256:<hash>` with a 4-byte GGUF magic header payload to register a malformed blob, and (2) `POST /api/create` with a Modelfile body containing `FROM @sha256:<hash>` pointing to the malicious blob. Ollama's GGUF parser dereferences a pointer based on the (missing/invalid) header fields, triggering a SIGSEGV and crashing the process. In environments where Ollama runs without a process supervisor, this permanently disables AI inference capability until manual restart. A PoC is publicly documented in the Oligo Security research post, lowering the barrier to exploitation to near-zero.