CVE-2024-39720 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-39720 PUBLISHED CVSS 8.800000190734863 HIGH

An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-controlled blob file, the attacker can crash the application through the CreateModel route, leading to a segmentation fault (signal SIGSEGV: segmentation violation).

EPSS 0.34% · 56.7th percentile

Risk Scores

CVSS v4.0

8.800000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.34%

56.7th percentile

Affected Products

Vendor	Product	Versions
ollama	ollama	0, 0
n/a	n/a	n/a, n/a
ollama	ollama	0, 0
github.com	ollama/ollama	0, 0

Timeline

Oct 31, 2024 CVE Published
Oct 31, 2024 Coalition ESS Score
Oct 31, 2024 PoC Published
Nov 1, 2024 EPSS Score
Nov 7, 2024 Coalition ESS Score
Nov 19, 2024 EPSS Score
Dec 7, 2024 EPSS Score
Dec 25, 2024 EPSS Score
Jan 11, 2025 EPSS Score
Jan 29, 2025 EPSS Score
Feb 15, 2025 EPSS Score
Mar 5, 2025 EPSS Score

References

Open in Interactive Console →