Open Asset Import Library Assimp
Moderate fix2 remedies
cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 5.4.3
Open Asset Import Library Assimp Uncontrolled Memory Allocation Vulnerability in MDL File Handler
Vulnerability
Patched
A resource consumption vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3. The issue arises in the MDL File Handler component, specifically within the 'ParseTextureColorData' function of 'MDLMaterialLoader.cpp'. The vulnerability allows for uncontrolled memory allocation by manipulating the 'mWidth' and 'mHeight' parameters, which can lead to excessive resource consumption and potential denial-of-service conditions. This vulnerability can be exploited remotely, without authentication, but requires user interaction.
Impact
Exploitation of this vulnerability causes a denial-of-service condition by exhausting available memory resources, leading to program crashes.
Reproduction
The vulnerability can be reproduced by using a fuzzer to send a malformed MDL file to the Assimp library. This can be done by building Assimp with address sanitizer enabled, compiling a fuzzer that targets the MDL importer, and then running the fuzzer with a crafted input that triggers the out-of-memory condition.
Remediation
Users are advised to upgrade to Assimp version 6.0, where this vulnerability has been addressed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.4impact
2.5exploitability
5.8remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.