Technical description
Two high-severity vulnerabilities (CVSS 7.7) in Ollama for Windows enable remote code execution through the application's update mechanism. CVE-2026-42248 allows arbitrary code execution because Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables—the Windows implementation unconditionally returns success without digital signature or trust validation. CVE-2026-42249 enables RCE via improper handling of attacker-controlled HTTP response headers during update downloads, where the application constructs local file paths using header values without validation.
Attack vector
For CVE-2026-42248, an attacker performs a man-in-the-middle attack during update checks to serve a malicious executable that Ollama will stage and execute without verification. For CVE-2026-42249, an attacker manipulates HTTP response headers (such as Content-Disposition) to inject path traversal sequences, causing Ollama to write malicious files outside the intended update directory, then execute them. Both attacks can be chained or used independently depending on network position.
Affected systems
Ollama for Windows installations checking for updates. Ollama is a widely-deployed tool for running large language models locally, used by developers and organizations for offline LLM inference. The vulnerabilities do not affect Ollama on macOS or Linux, where update verification routines are properly implemented.
Mitigation
CERT Poland disclosed the vulnerabilities on April 29, 2026. Users should check for vendor patches and apply immediately when available. As an interim control, disable automatic updates in Ollama for Windows and manually verify update integrity using vendor-provided checksums. Monitor network traffic for unusual update-related HTTP requests. Organizations should assess whether Ollama instances are deployed on developer workstations with access to production AI infrastructure.