Intel

AIKIDO-2026-545455

sherpa_onnx is vulnerable to Out-of-bounds Write

Out-of-bounds Write Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

29

Low Risk

This Affects:

DARTsherpa_onnx
1.10.28 - 1.13.0
Fixed in 1.13.1
Are you affected? Scan for Free

TL;DR

The offline speaker diarization pipeline indexes result vectors, an Eigen matrix, and intermediate sample lists using speaker and cluster IDs without validating them against the expected range. When FastClustering produces cluster labels outside the expected count, ReLabel writes past the matrix column bounds, SortBySpeaker reads past the result vector, and the post-filtering index loop reads past the sample lists, causing out-of-bounds memory access. Processing many audio files through diarization can intermittently trigger heap buffer overflow and SIGSEGV crashes of the host process. The fix validates speaker, cluster, and sample indices before array and matrix access and skips out-of-range IDs.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you use the offline speaker diarization feature.

Background info

sherpa_onnx is vulnerable to Out-of-bounds Write in versions 1.10.28 - 1.13.0.

How to fix this

Upgrade the sherpa_onnx library to the patch version.