CVE-2026-42248

Medienbericht

EPSS 0.38%
Veröffentlicht 29.04.2026 12:16:18
Zuletzt bearbeitet 18.05.2026 18:22:55
Quelle cvd@cert.pl
CVE-Watchlists
Login
Unerledigt
Login

Missing Signature Verification for Updates in Ollama

Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application.

Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness.

Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ollama ≫ Ollama Version >= 0.12.10 <= 0.17.5

Microsoft ≫ Windows Version-

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.295

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvd@cert.pl	7.7	0	0	CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-494 Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

11.05.2026 16:03

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

10.05.2026 15:02

https://ollama.com/

Product

https://cert.pl/en/posts/2026/04/CVE-2026-42248/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-42248

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42248

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42248

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42248