Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-1260

Опубликовано: 22 янв. 2026
Источник: redhat
CVSS3: 7.8
EPSS Низкий

Описание

Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.

A flaw was found in Sentencepiece. This flaw involves invalid memory access when the software processes a specially crafted, vulnerable model file. A local attacker could exploit this by tricking a user into loading such a file. Successful exploitation could lead to a denial of service, information disclosure, or potentially arbitrary code execution.

Отчет

This IMPORTANT flaw in Sentencepiece allows invalid memory access when processing a specially crafted model file. A local attacker could exploit this by deceiving a user into loading a malicious file, potentially leading to denial of service, information disclosure, or arbitrary code execution. Red Hat products utilizing Sentencepiece, such as Red Hat AI Inference Server and Red Hat OpenShift AI, are affected if they process untrusted model files.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat AI Inference Serverrhaiis-preview/vllm-cuda-rhel9Not affected
Red Hat AI Inference Serverrhaiis/vllm-cuda-rhel9Affected
Red Hat AI Inference Serverrhaiis/vllm-rocm-rhel9Affected
Red Hat AI Inference Serverrhaiis/vllm-spyre-rhel9Not affected
Red Hat AI Inference Serverrhaiis/vllm-tpu-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-aws-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-azure-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-gcp-cuda-rhel9Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-kserve-agent-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-119
https://bugzilla.redhat.com/show_bug.cgi?id=2432079sentencepiece: Sentencepiece: Invalid memory access leading to potential arbitrary code execution via a crafted model file.

EPSS

Процентиль: 0%
0.00003
Низкий

7.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-1260

CVSS3: 7.8
nvd
2 месяца назад

Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.

github логотип

GHSA-38vq-g6vr-w8wf

github
2 месяца назад

Sentencepiece has a a heap overflow issue

EPSS

Процентиль: 0%
0.00003
Низкий

7.8 High

CVSS3