CVE-2025-15514

Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted.

Attacker scans for exposed Ollama instances on port 11434 using Shodan or masscan. They identify a target running a vision model (discoverable via GET /api/tags which lists loaded models). They craft a POST request to /api/chat with model set to a multimodal model and an 'images' array containing a base64-encoded payload that decodes to invalid binary data (e.g., random bytes or a truncated file). Ollama passes this to mtmd_helper_bitmap_init_from_buf, which returns NULL due to invalid media format. The subsequent pointer dereference triggers a segfault, crashing the runner process. The attacker can repeat this every time the service restarts, maintaining a persistent DoS condition. No credentials, no AI/ML knowledge, no exploit development required — a 10-line Python script suffices. In an enterprise context where developers have enabled Ollama on their workstations for AI-assisted coding with vision capabilities, this could also be triggered by a malicious web page or document that causes the local Ollama API to be queried with crafted image data.