Skip to main content

SentencePiece CVE-2026-1260

HIGH
Buffer Overflow (CWE-119)
2026-01-22 cve-coordination@google.com GHSA-38vq-g6vr-w8wf
8.5
CVSS 4.0 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Trigger is loading a local malicious model file (AV:L) requiring victim action (UI:R) with no prior auth (PR:N); memory corruption yields high C/I/A within the unchanged process scope.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 06:00 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:57 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:56 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:56 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
7.8 (HIGH) 8.5 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 22, 2026 - 17:16 nvd
HIGH 7.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2,650 pypi packages depend on sentencepiece (1,168 direct, 1,532 indirect)

Ecosystem-wide dependent count for version 0.2.1.

DescriptionCVE.org

Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.

AnalysisAI

Memory-corruption in Google's SentencePiece tokenizer library (all versions before 0.2.1) lets a maliciously crafted model file trigger an invalid memory access (CWE-119) when the file is loaded, potentially leading to crashes or arbitrary code execution in the host process. Exploitation requires a victim to load an attacker-supplied model that was deliberately built outside the normal training pipeline, so it is not remotely triggerable on its own. No public exploit identified at time of analysis, and EPSS is 0.00%, but the flaw was reported by Google and is patched in v0.2.1.

Technical ContextAI

SentencePiece is Google's open-source unsupervised text tokenizer/detokenizer (BPE and unigram models) embedded in many NLP and LLM pipelines to serialize and deserialize trained tokenizer models, typically via protobuf-backed .model files. The CPE cpe:2.3:a:google:sentencepiece:*:*:*:*:*:*:*:* confirms the affected component is the SentencePiece application/library itself. The root cause is CWE-119 (improper restriction of operations within the bounds of a memory buffer): when parsing a model file whose internal fields/offsets are malformed in a way the legitimate training procedure would never produce, the deserialization code performs an out-of-bounds or otherwise invalid memory access. This is a classic untrusted-deserialization buffer-handling bug rather than a flaw in tokenization logic for normal inputs.

RemediationAI

Vendor-released patch: 0.2.1 - upgrade SentencePiece to v0.2.1 or later (https://github.com/google/sentencepiece/releases/tag/v0.2.1), and for Red Hat-based systems apply the packages from RHSA-2026:3782 and RHSA-2026:3713 rather than relying on pip alone, since the library is bundled in distro/product builds. Because exploitation depends on loading an attacker-controlled model file, the most effective compensating control where immediate patching is not possible is to treat tokenizer model files as untrusted input: only load .model files from trusted, integrity-verified sources (pin checksums/signatures of known-good models), and reject or sandbox any user-supplied or third-party-downloaded models. If your application accepts uploaded models, isolate the deserialization/tokenizer load in a low-privilege, resource-limited sandbox or separate process so a crash or memory-corruption cannot compromise the main service - the trade-off is added IPC/latency and operational complexity. Avoid loading models from model hubs or shared storage without provenance checks until upgraded.

Vendor StatusVendor

Share

CVE-2026-1260 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy