SentencePiece
CVE-2026-1260
HIGH
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Trigger is loading a local malicious model file (AV:L) requiring victim action (UI:R) with no prior auth (PR:N); memory corruption yields high C/I/A within the unchanged process scope.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9Blast Radius
ecosystem impact- 2,650 pypi packages depend on sentencepiece (1,168 direct, 1,532 indirect)
Ecosystem-wide dependent count for version 0.2.1.
DescriptionCVE.org
Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.
AnalysisAI
Memory-corruption in Google's SentencePiece tokenizer library (all versions before 0.2.1) lets a maliciously crafted model file trigger an invalid memory access (CWE-119) when the file is loaded, potentially leading to crashes or arbitrary code execution in the host process. Exploitation requires a victim to load an attacker-supplied model that was deliberately built outside the normal training pipeline, so it is not remotely triggerable on its own. No public exploit identified at time of analysis, and EPSS is 0.00%, but the flaw was reported by Google and is patched in v0.2.1.
Technical ContextAI
SentencePiece is Google's open-source unsupervised text tokenizer/detokenizer (BPE and unigram models) embedded in many NLP and LLM pipelines to serialize and deserialize trained tokenizer models, typically via protobuf-backed .model files. The CPE cpe:2.3:a:google:sentencepiece:*:*:*:*:*:*:*:* confirms the affected component is the SentencePiece application/library itself. The root cause is CWE-119 (improper restriction of operations within the bounds of a memory buffer): when parsing a model file whose internal fields/offsets are malformed in a way the legitimate training procedure would never produce, the deserialization code performs an out-of-bounds or otherwise invalid memory access. This is a classic untrusted-deserialization buffer-handling bug rather than a flaw in tokenization logic for normal inputs.
RemediationAI
Vendor-released patch: 0.2.1 - upgrade SentencePiece to v0.2.1 or later (https://github.com/google/sentencepiece/releases/tag/v0.2.1), and for Red Hat-based systems apply the packages from RHSA-2026:3782 and RHSA-2026:3713 rather than relying on pip alone, since the library is bundled in distro/product builds. Because exploitation depends on loading an attacker-controlled model file, the most effective compensating control where immediate patching is not possible is to treat tokenizer model files as untrusted input: only load .model files from trusted, integrity-verified sources (pin checksums/signatures of known-good models), and reject or sandbox any user-supplied or third-party-downloaded models. If your application accepts uploaded models, isolate the deserialization/tokenizer load in a low-privilege, resource-limited sandbox or separate process so a crash or memory-corruption cannot compromise the main service - the trade-off is added IPC/latency and operational complexity. Avoid loading models from model hubs or shared storage without provenance checks until upgraded.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-38vq-g6vr-w8wf