Ollama 'Bleeding Llama' Bug Exposes ~300,000 Deployments to Unauthenticated Info Theft

A heap out-of-bounds read vulnerability dubbed “Bleeding Llama” affects Ollama, the popular self-hosted LLM runtime. The flaw can be exploited remotely without any authentication, and approximately 300,000 Ollama instances are estimated to be publicly reachable. Successful exploitation could allow an attacker to read sensitive data from the server’s process memory, including model weights, API tokens, or system prompt content. Ollama deployments are frequently misconfigured to listen on all interfaces without authentication. Operators should ensure Ollama is bound to localhost or a private network interface only, apply the patch when released, and audit firewall rules to prevent external access.