Primary

Context

Open Asset Import Library Assimp Out-of-Bounds Read Vulnerability in MDC File Parser

Vulnerability

A heap-based out-of-bounds read vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3. The issue arises in the MDC File Parser component, specifically within the 'MDCImporter::InternReadFile' function of 'MDCLoader.cpp'. The vulnerability is triggered by improper validation of the 'pcVerts' argument, which can lead to out-of-bounds memory access. This vulnerability can be exploited locally.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds read, which can lead to memory corruption or information disclosure.

Reproduction

The vulnerability can be reproduced by building the Assimp fuzzer with AddressSanitizer (ASAN) enabled, similar to the process used by OSS-Fuzz. After compiling the fuzzer, it can be run with a crafted input that triggers the out-of-bounds read in the MDC importer.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open Asset Import Library Assimp Out-of-Bounds Read Vulnerability in MDC File Parser

Vulnerability

Impact

Reproduction

Affected Products

Open Asset Import Library Assimp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating