Skip to main content

Sentencepiece

1 CVEs product

Monthly

CVE-2026-1260 PyPI HIGH PATCH This Week

Memory-corruption in Google's SentencePiece tokenizer library (all versions before 0.2.1) lets a maliciously crafted model file trigger an invalid memory access (CWE-119) when the file is loaded, potentially leading to crashes or arbitrary code execution in the host process. Exploitation requires a victim to load an attacker-supplied model that was deliberately built outside the normal training pipeline, so it is not remotely triggerable on its own. No public exploit identified at time of analysis, and EPSS is 0.00%, but the flaw was reported by Google and is patched in v0.2.1.

Buffer Overflow Sentencepiece
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Memory-corruption in Google's SentencePiece tokenizer library (all versions before 0.2.1) lets a maliciously crafted model file trigger an invalid memory access (CWE-119) when the file is loaded, potentially leading to crashes or arbitrary code execution in the host process. Exploitation requires a victim to load an attacker-supplied model that was deliberately built outside the normal training pipeline, so it is not remotely triggerable on its own. No public exploit identified at time of analysis, and EPSS is 0.00%, but the flaw was reported by Google and is patched in v0.2.1.

Buffer Overflow Sentencepiece
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy