CVE-2026-42248: Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike othe
criticalvulnerability
security
Summary
Ollama for Windows has a vulnerability (CVE-2026-42248) where it does not verify that downloaded updates are authentic and haven't been tampered with before installing them. Because Ollama automatically installs updates without asking the user, an attacker could trick the software into downloading and running malicious code without the user knowing.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
April 29, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42248
First tracked: April 29, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 95%