Detections
Analytics

Ollama Missing Signature Verification for Updates (CVE-2026-42248)

high Nessus Plugin ID 313203

Synopsis

The Ollama instance installed on the remote Windows host is affected by a missing signature verification vulnerability.

Description

The version of Ollama installed on the remote Windows host is affected by a missing signature verification vulnerability:

 - Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables.
 Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker-supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness. (CVE-2026-42248)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

See cert.pl advisory.

See Also

http://www.nessus.org/u?b4d71181

Plugin Details

Severity: High

ID: 313203

File Name: ollama_CVE-2026-42248.nasl

Version: 1.1

Type: Local

Agent: windows

Published: 5/8/2026

Updated: 5/8/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2026-42248

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS v4

Risk Factor: High

Base Score: 7.7

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Vulnerability Information

CPE: cpe:/a:ollama:ollama

Required KB Items: installed_sw/Ollama

Vulnerability Publication Date: 4/29/2026

Reference Information

CVE: CVE-2026-42248

IAVB: 2026-B-0116