Ollama Remote Code Execution: Securing the Code That Runs LLMs

Ollama, a popular open-source project used for running large language models (LLMs) locally, was found to have a critical Out-Of-Bounds Write vulnerability that could lead to arbitrary code execution if exploited. This vulnerability was identified during an audit of Ollama's codebase, which is mainly written in Go with some C/C++ components, and it was present in versions before 0.7.0. The issue arose from unsafe handling of model metadata, specifically with how indices in a model file could exceed the bounds of a C++ std::vector. The vulnerability allowed an attacker to potentially execute remote code by manipulating function pointers in memory. Although the bug was confirmed exploitable in non-PIE builds, the exploitability in PIE builds—which are more common in release versions—remains speculative without further investigation. Remarkably, the maintainers of Ollama had already replaced the vulnerable C++ code with a new Go implementation just two days prior to the vulnerability being reported, effectively mitigating the risk before it was disclosed. This case underscores the importance of securing code running on AI systems and highlights the persistent nature of vulnerabilities in memory-unsafe languages like C and C++.