Bug 2432079 (CVE-2026-1260)

Summary: CVE-2026-1260 sentencepiece: Sentencepiece: Invalid memory access leading to potential arbitrary code execution via a crafted model file.
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alinfoot, bbrownin, dtrifiro, jkoehler, lphiri, rbryant, weaton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Sentencepiece. This flaw involves invalid memory access when the software processes a specially crafted, vulnerable model file. A local attacker could exploit this by tricking a user into loading such a file. Successful exploitation could lead to a denial of service, information disclosure, or potentially arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2432135, 2432138, 2432136, 2432137, 2432139    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-22 18:01:21 UTC
Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.