CVE-2025-66960

HIGH

Published January 21, 2026

CISO Take

Ollama's GGUF v1 parser reads attacker-controlled string lengths without validation, letting any network-reachable adversary crash your inference service by serving a malicious model file — no credentials or prior access needed. If your team runs Ollama in production, CI/CD pipelines, or dev environments that pull external models, patch immediately and restrict model sources to verified registries. Treat all externally-sourced GGUF files as untrusted until upgraded.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. Patch: Upgrade Ollama to the fixed version — check GitHub releases for CVE-2025-66960 resolution. 2. Network isolation: Restrict Ollama API access (default port 11434) to trusted internal IPs via firewall rules; never expose publicly. 3. Model provenance: Only pull models from verified, hash-validated sources — block untrusted community GGUF files via allowlist policy. 4. Process supervision: Run Ollama under systemd or supervisord with auto-restart to limit DoS downtime impact. 5. Detection: Alert on unexpected Ollama process exits or OOM kills in system and application logs. 6. Inventory: Audit all Ollama deployments across dev, staging, and prod — shadow IT instances are the highest risk.

Classification

DoS Inference Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring A.9.7 - Information security for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to address and manage AI risks MANAGE-2.2 - Residual risks and AI system impacts are monitored on an ongoing basis

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM04 - Model Denial of Service LLM10:2025 - Unbounded Consumption

Technical Details

NVD Description

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata

Exploitation Scenario

An adversary crafts a GGUF v1 model file with a maliciously oversized string length value in the metadata header (e.g., 0xFFFFFFFF bytes). They publish it to a public model hub or host it on an attacker-controlled server. When an engineer runs 'ollama pull attacker/malicious-model' or an automated MLOps pipeline fetches and evaluates new models from external sources, Ollama's readGGUFV1String in fs/ggml/gguf.go reads the attacker-controlled length and attempts to allocate or read that many bytes, triggering a Go panic. The Ollama service crashes immediately, dropping all active inference sessions. In environments with fully automated model evaluation pipelines, this attack can be triggered repeatedly without any human interaction.

Weaknesses (CWE)

CWE-20 CWE-400

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com/ollama/ollama/issues/9820
Exploit Issue Vendor
zero.shotlearni.ng/blog/cve-2025-66960guf-v1-string-length-cause-panic-in-readggufv1string/
Exploit 3rd Party

Timeline

Published

January 21, 2026

Last Modified

February 2, 2026

First Seen

January 21, 2026

Back to Threat Feed