Primary

Context

Open Asset Import Library Assimp Heap-Based Buffer Overflow Vulnerability

Vulnerability

Patched

A critical heap-based buffer overflow vulnerability has been identified in Open Asset Import Library (Assimp) versions prior to 5.4.3. The issue arises in the 'read_meshes' function within 'HL1MDLLoader.cpp', where improper handling of meshes, vertices, normals, and bones can lead to out-of-bounds memory access. This vulnerability can be exploited locally, and details of the exploit are publicly available.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by compiling Assimp with Clang, using specific flags to enable fuzzing and address sanitization. After compiling the library, the 'assimp_fuzzer' executable can be run with a proof-of-concept file that triggers the buffer overflow.

Added: Jun 16, 2025, 12:25 PM

Updated: Jun 16, 2025, 1:06 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open Asset Import Library Assimp Heap-Based Buffer Overflow Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Open Asset Import Library Assimp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating