CVE-2026-42248: Ollama silent auto-update

CISO Take

Ollama for Windows (v0.12.10–v0.17.5) ships a broken update verification routine that unconditionally returns success, meaning downloaded update executables are never validated for digital signature or cryptographic integrity before being staged and executed. An attacker who can intercept Ollama's update traffic—via MITM, DNS hijacking, or compromise of the update distribution infrastructure—can silently deliver and execute arbitrary code on every Windows host running Ollama with zero user interaction, because updates fire automatically in the background. Ollama is increasingly deployed across enterprise AI environments for local LLM inference; successful exploitation can yield full workstation compromise, exfiltration of locally stored model weights and API credentials, and a pivot point into internal AI infrastructure. Maintainers have not confirmed a patched version, so the immediate response is to disable auto-updates via OLLAMA_NO_AUTO_UPDATE=1, enforce signed-binary policies (AppLocker/WDAC), and monitor Ollama update traffic for anomalous destinations until a fix is confirmed.

Sources: NVD EPSS CISA KEV ATLAS cert.pl

What is the risk?

HIGH risk for enterprise Windows environments running Ollama for local LLM inference. The vulnerability requires no user interaction due to silent auto-update behavior, and successful exploitation yields arbitrary code execution at the Ollama process privilege level. The attack requires adversary network positioning or update server compromise—a moderate bar consistent with targeted threat actors and nation-state operations against AI infrastructure. No formal CVSS score has been assigned and maintainers did not confirm a patched version, leaving the full vulnerable range undefined beyond what independent researchers tested (0.12.10–0.17.5). Absence from CISA KEV and a low EPSS score (0.00009) reflect lack of currently observed active exploitation in the wild, not inherent low risk—the vulnerability class is well-understood and straightforward to weaponize.

How does the attack unfold?

Reconnaissance

Attacker identifies Windows hosts running Ollama for local LLM inference and confirms auto-update is enabled by default with no user prompt.

AML.T0006

Network Interception

Attacker positions for MITM on Ollama update traffic via DNS hijacking, ARP poisoning, or compromise of the update distribution infrastructure.

AML.T0010.001

Malicious Update Delivery

Attacker serves a trojanized executable as the Ollama update payload; the verification routine unconditionally returns success, staging and executing the payload with no signature or integrity check performed.

AML.T0010

Machine Compromise

Malicious payload executes silently in the background, achieving arbitrary code execution in the Ollama process context—enabling credential theft, local model exfiltration, persistence, and lateral movement to internal AI infrastructure.

AML.T0112

Reconnaissance

Attacker identifies Windows hosts running Ollama for local LLM inference and confirms auto-update is enabled by default with no user prompt.

AML.T0006

Network Interception

Attacker positions for MITM on Ollama update traffic via DNS hijacking, ARP poisoning, or compromise of the update distribution infrastructure.

AML.T0010.001

Malicious Update Delivery

Attacker serves a trojanized executable as the Ollama update payload; the verification routine unconditionally returns success, staging and executing the payload with no signature or integrity check performed.

AML.T0010

Machine Compromise

Malicious payload executes silently in the background, achieving arbitrary code execution in the Ollama process context—enabling credential theft, local model exfiltration, persistence, and lateral movement to internal AI infrastructure.

AML.T0112

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Ollama	pip	—	No patch
173.4K 1.5K dependents Pushed 6d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Immediately set OLLAMA_NO_AUTO_UPDATE=1 (or equivalent) on all Windows Ollama deployments to disable silent auto-update behavior.
Enforce application control policies via Windows Defender Application Control (WDAC) or AppLocker to require valid Authenticode signatures on executables in Ollama's staging directories (%LOCALAPPDATA%\Programs\Ollama and %APPDATA%\Local\Ollama).
Block or proxy outbound traffic from Ollama processes to update endpoints at the network perimeter; legitimate updates should only contact ollama.com—unexpected destinations warrant investigation.
Audit all Windows hosts for Ollama installations and inspect the update staging directory for unexpected or recently dropped executables.
Track CVE-2026-42248 and the CERT Polska advisory (cert.pl/en/posts/2026/04/CVE-2026-42248/) for confirmation of a patched version; do not re-enable auto-update until a release with verified signature checking is published.
Consider pinning Ollama version at the package manager or deployment tool level until remediation is confirmed.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Inference AML.T0010 - AI Supply Chain Compromise AML.T0010.001 - AI Software AML.T0074 - Masquerading AML.T0109 - AI Supply Chain Rug Pull AML.T0112 - Machine Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - Supplier and third-party relationships A.8.1 - AI system technical security controls

NIST AI RMF

GOVERN-6.2 - AI supply chain risk management policies and procedures

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-42248?

Ollama for Windows (v0.12.10–v0.17.5) ships a broken update verification routine that unconditionally returns success, meaning downloaded update executables are never validated for digital signature or cryptographic integrity before being staged and executed. An attacker who can intercept Ollama's update traffic—via MITM, DNS hijacking, or compromise of the update distribution infrastructure—can silently deliver and execute arbitrary code on every Windows host running Ollama with zero user interaction, because updates fire automatically in the background. Ollama is increasingly deployed across enterprise AI environments for local LLM inference; successful exploitation can yield full workstation compromise, exfiltration of locally stored model weights and API credentials, and a pivot point into internal AI infrastructure. Maintainers have not confirmed a patched version, so the immediate response is to disable auto-updates via OLLAMA_NO_AUTO_UPDATE=1, enforce signed-binary policies (AppLocker/WDAC), and monitor Ollama update traffic for anomalous destinations until a fix is confirmed.

Is CVE-2026-42248 actively exploited?

No confirmed active exploitation of CVE-2026-42248 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42248?

1. Immediately set OLLAMA_NO_AUTO_UPDATE=1 (or equivalent) on all Windows Ollama deployments to disable silent auto-update behavior. 2. Enforce application control policies via Windows Defender Application Control (WDAC) or AppLocker to require valid Authenticode signatures on executables in Ollama's staging directories (%LOCALAPPDATA%\Programs\Ollama and %APPDATA%\Local\Ollama). 3. Block or proxy outbound traffic from Ollama processes to update endpoints at the network perimeter; legitimate updates should only contact ollama.com—unexpected destinations warrant investigation. 4. Audit all Windows hosts for Ollama installations and inspect the update staging directory for unexpected or recently dropped executables. 5. Track CVE-2026-42248 and the CERT Polska advisory (cert.pl/en/posts/2026/04/CVE-2026-42248/) for confirmation of a patched version; do not re-enable auto-update until a release with verified signature checking is published. 6. Consider pinning Ollama version at the package manager or deployment tool level until remediation is confirmed.

What systems are affected by CVE-2026-42248?

This vulnerability affects the following AI/ML architecture patterns: Local LLM inference (Ollama on Windows), AI developer workstations, On-premises model serving, Agent frameworks backed by local Ollama instances, RAG pipelines using local Ollama as inference backend.

What is the CVSS score for CVE-2026-42248?

CVE-2026-42248 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.03%.

What is the AI security impact?

Affected AI Architectures

Local LLM inference (Ollama on Windows)AI developer workstationsOn-premises model servingAgent frameworks backed by local Ollama instancesRAG pipelines using local Ollama as inference backend

MITRE ATLAS Techniques

AML.T0010 AI Supply Chain Compromise

AML.T0010.001 AI Software

AML.T0074 Masquerading

AML.T0109 AI Supply Chain Rug Pull

AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.10.1, A.8.1

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Exploitation Scenario

An adversary targeting an enterprise's AI infrastructure identifies that data scientists and ML engineers use Ollama on Windows laptops for local model inference. The attacker compromises a network device on a segment with visibility to Ollama's update traffic, or poisons DNS resolution for the update endpoint to redirect requests to an attacker-controlled server. When Ollama's background auto-update check fires—without any user-visible prompt—the attacker serves a trojanized installer. Ollama's verification routine returns success unconditionally, stages the payload, and executes it silently. The payload extracts Ollama's environment configuration (which may contain API keys for OpenAI, Anthropic, or other external LLM providers), reads locally stored model weights for exfiltration or fingerprinting, and establishes persistent access on the workstation. From this foothold the attacker pivots to internal AI development infrastructure, CI/CD pipelines, and model registries.

Weaknesses (CWE)

CWE-494 Download of Code Without Integrity Check Primary

CWE-494 — Download of Code Without Integrity Check: The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

[Implementation] Perform proper forward and reverse DNS lookups to detect DNS spoofing.
[Architecture and Design, Operation] Encrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.

Source: MITRE CWE corpus.