Primary

Context

Open Asset Import Library Assimp Use-After-Free Vulnerability in LWO Importer

Vulnerability

A heap-use-after-free vulnerability has been identified in Open Asset Import Library (Assimp) versions prior to 6.0.2. The issue arises in the LWO file importer, specifically within the 'FindUVChannels' function of 'LWOMaterial.cpp'. This vulnerability can be exploited locally by processing specially crafted LWO files, leading to a crash of the application. The vulnerability has been publicly disclosed and is tracked under issue #6258.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling Assimp with AddressSanitizer enabled, using Clang as the compiler. After building the application, the 'assimp extract' command can be used to process a crafted LWO file, which triggers the use-after-free condition and causes a crash.

Added: Jan 18, 2026, 11:25 PM

Updated: Jan 18, 2026, 11:25 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.8

exploitability

4.6

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.8

exploitability

4.6

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open Asset Import Library Assimp Use-After-Free Vulnerability in LWO Importer

Vulnerability

Impact

Reproduction

Affected Products

Open Asset Import Library Assimp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating