Invalid Memory Access in Sentencepiece,
Description
Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Invalid memory access in SentencePiece <0.2.1 when processing a crafted model file, leading to potential heap overflow.
Vulnerability
Overview
CVE-2026-1260 describes an invalid memory access vulnerability in SentencePiece versions prior to 0.2.1. The issue occurs when the library processes a model file containing a malformed precompiled normalization model, which is not produced during normal training procedures. This can lead to a heap overflow condition [3].
Root
Cause and Exploitation
The root cause lies in the is a missing length parameter in the PrefixMatcher` constructor when building the double-array trie. The code previously passed only the key pointers without their corresponding lengths, which could cause the trie builder to read beyond the intended memory boundaries when processing a crafted input is provided [4]. An attacker would need to supply a specially crafted model file to the SentencePiece library, likely through a model file that is loaded by an application using SentencePiece. No authentication is required if the attacker can deliver the file to the victim application.
Impact
Successful exploitation could lead to arbitrary code execution or denial of service disruption, or information disclosure, depending on how the invalid memory access is exploited. The vulnerability is rated with a CVSS v4.0 score pending from NVD, but the heap overflow nature suggests potential for arbitrary code execution [2].
Mitigation
The vulnerability is fixed in SentencePiece version 0.2.1, released on 2026-01-22 [3]. Users are strongly advised to update to this version or later. The fix ensures that string lengths are passed to the trie builder, preventing out-of-bounds reads [4]. No workarounds are documented; updating the library is the recommended action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sentencepiecePyPI | < 0.2.1 | 0.2.1 |
Affected products
20.2.1pre1, v0.1.4, v0.1.5, …+ 1 more
- (no CPE)range: 0.2.1pre1, v0.1.4, v0.1.5, …
- (no CPE)range: <0.2.1
Patches
1d856b67fdb34fixed potential heap overflow issue to make double array trie
1 file changed · +8 −3
src/normalizer.cc+8 −3 modified@@ -321,11 +321,16 @@ util::Status Normalizer::DecodePrecompiledCharsMap( PrefixMatcher::PrefixMatcher(const std::set<absl::string_view> &dic) { if (dic.empty()) return; std::vector<const char *> key; + std::vector<size_t> lengths; key.reserve(dic.size()); - for (const auto &it : dic) key.push_back(it.data()); + lengths.reserve(dic.size()); + for (const auto &it : dic) { + key.push_back(it.data()); + lengths.push_back(it.size()); + } trie_ = std::make_unique<Darts::DoubleArray>(); - if (trie_->build(key.size(), const_cast<char **>(&key[0]), nullptr, - nullptr) != 0) { + if (trie_->build(key.size(), const_cast<char **>(key.data()), + const_cast<size_t *>(lengths.data()), nullptr) != 0) { LOG(ERROR) << "Failed to build the TRIE for PrefixMatcher"; trie_.reset(); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.