Primary

Context

Kitware VTK Heap Buffer Overflow Vulnerability in GLTF Document Loader

Vulnerability

A heap buffer overflow vulnerability has been identified in Kitware VTK (Visualization Toolkit) versions through 9.5.0. The issue arises in the GLTF document loader, specifically within the 'BufferDataExtractionWorker' template function, when the software processes GLTF accessor data. The vulnerability allows reading beyond allocated buffer boundaries, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, with the out-of-bounds read potentially leading to information disclosure, application crashes, and memory corruption in adjacent heap structures.

Reproduction

The vulnerability can be reproduced by building VTK with AddressSanitizer enabled, and then using a malformed GLTF file that triggers the buffer overflow when loaded with 'vtkGLTFImporter'.

Remediation

Users can apply the merge request !12375, which adds proper bounds checking in the 'BufferDataExtractionWorker' function, to address this vulnerability.

Added: Oct 31, 2025, 3:25 PM

Updated: Oct 31, 2025, 7:33 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

3.8

exploitability

4.2

remediation

0.0

relevance

0.8

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

3.8

exploitability

4.2

remediation

0.0

relevance

0.8

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kitware VTK Heap Buffer Overflow Vulnerability in GLTF Document Loader

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Kitware VTK

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating