Cyber Resilience

CVE-2026-1260

HighUpdated

Published: 22 January 2026

Published
22 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 3.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1260 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Google Sentencepiece. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Adversarial Attacks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-1260 is an invalid memory access vulnerability affecting Sentencepiece versions prior to 0.2.1. The issue arises when processing a vulnerable model file, which is not generated through the standard training procedure. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), it carries a CVSS v3.1 base score of 7.8, indicating high severity due to potential impacts on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this vulnerability by supplying a malicious model file to a Sentencepiece instance running with those privileges. The low attack complexity and lack of required user interaction enable reliable exploitation, potentially leading to arbitrary code execution, data corruption, or denial of service through memory corruption.

The official mitigation, as detailed in the Sentencepiece release notes at https://github.com/google/sentencepiece/releases/tag/v0.2.1, involves upgrading to version 0.2.1 or later, which addresses the invalid memory access flaw. Security practitioners should validate and sanitize model files from untrusted sources prior to processing.

EU & UK References

Vulnerability details

Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Adversarial Attacks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: sentencepiece

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Direct local exploitation of memory corruption in Sentencepiece via malicious model file enables arbitrary code execution without user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6315Same vendor: Google
CVE-2024-43767Same vendor: Google
CVE-2026-8540Same vendor: Google
CVE-2025-0084Same vendor: Google
CVE-2025-0997Same vendor: Google
CVE-2025-0762Same vendor: Google
CVE-2026-4092Same vendor: Google
CVE-2025-1920Same vendor: Google
CVE-2025-12907Same vendor: Google
CVE-2026-6319Same vendor: Google

Affected Assets

google
sentencepiece
≤ 0.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely flaw remediation, such as upgrading Sentencepiece to version 0.2.1 or later.

prevent

Addresses exploitation via malicious model files by enforcing validation and sanitization of inputs from untrusted sources before processing.

prevent

Implements memory protection mechanisms that prevent unauthorized code execution and corruption from invalid memory accesses like buffer overflows.

References