Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

PGV-2652427 - PocketSphinx: Buffer overflows in language and acoustic model loading code

Disclosed on July 17, 2026 (updated July 18, 2026)

Vulnerability Overview

PGV-2652427 is a category 2 vulnerabilty that affects the following packages:

  • pocketsphinx, versions < 5.1.1
  • pocketsphinx, versions < 5.1.1

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage has no measurable impact. Exploitation does not result in a meaningful impact to service or data.

Vulnerability Details

Impact

The trie language model code introduced in PocketSphinx 5prealpha failed to check various boundary conditions when reading the headers of ARPA, DMP, and binary format language model files. In the case of invalid, corrupted or malicious input files, this could lead to stack and heap buffer overflows.

In addition, the acoustic model loading code (which is over 30 years old...) contains numerous instances of sscanf with an unbounded string field which could also lead to stack overflows in the case of corrupt or malicious inputs.

Because PocketSphinx will search the directory given by the POCKETSPHINX_PATH environment variable for acoustic and language model files, if this directory is writable by untrusted users, an attacker could corrupt an existing file or write a malicious one to this directory in order to trigger the vulnerability.

Patches

The problem has been corrected in PocketSphinx 5.1.1.

There is no patch currently available for users of Pocketsphinx 5prealpha, who are encouraged to migrate as soon as possible to PocketSphinx 5.1.1.

Workarounds

Ensure that the POCKETSPHINX_PATH environment variable is either unset, or set to a directory whose contents are trusted and which cannot be written by untrusted users.

Common Weakness Enumerations

  • CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-121 - Stack-based Buffer Overflow
  • CWE-122 - Heap-based Buffer Overflow
Your Risk Profile
Network Exposure
External
Accessable from the public internet
Access Interface
WebBrowser
Primarily web-based applications
Service Outage
Disruptive
Operations would be impacted
Data Breach
Disruptive
Operations would be impacted
Data Tampering
Disruptive
Operations would be impacted
Customize
Additional Identifiers
  • CVE-2026-54559
  • GHSA-56r5-2p2f-7cxp