(0Day) Ollama downloadBlob Improper Validation of Array Index Denial-of-Service Vulnerability

July 8th, 2026

Vulnerability Details

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ollama. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the downloadBlob function. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated array. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

Additional Details

05/28/25 - ZDI submitted the report to the vendor
07/04/25 - ZDI followed up asking the vendor to confirm receipt
09/09/25 - ZDI notified the vendor of the intention to publish the case as a 0-day advisory
-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product


Disclosure Timeline

  • 2025-05-28 - Vulnerability reported to vendor
  • 2026-07-08 - Coordinated public release of advisory
  • 2026-07-08 - Advisory Updated

Credit

Nicholas Zubrisky (@NZubrisky) of Trend Research

Back to Advisories