{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53011", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-24T03:50:36.796Z", "datePublished": "2025-08-01T17:58:47.388Z", "dateUpdated": "2025-08-01T18:16:36.719Z"}, "containers": {"cna": {"title": "MaterialX is Vulnerable to NULL Pointer Dereference due to Unchecked implGraphOutput", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32"}, {"name": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf"}, {"name": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"}, {"name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011", "tags": ["x_refsource_MISC"], "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011"}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "MaterialX", "versions": [{"version": ">= 1.39.2, < 1.39.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T17:58:47.388Z"}, "descriptions": [{"lang": "en", "value": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3."}], "source": {"advisory": "GHSA-7qw8-3vmf-gj32", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T18:16:26.186303Z", "id": "CVE-2025-53011", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:16:36.719Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53011", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-01T18:16:26.186303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:16:29.050Z"}}], "cna": {"title": "MaterialX is Vulnerable to NULL Pointer Dereference due to Unchecked implGraphOutput", "source": {"advisory": "GHSA-7qw8-3vmf-gj32", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "MaterialX", "versions": [{"status": "affected", "version": ">= 1.39.2, < 1.39.3"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011", "name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T17:58:47.388Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53011", "state": "PUBLISHED", "dateUpdated": "2025-08-01T18:16:36.719Z", "dateReserved": "2025-06-24T03:50:36.796Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-01T17:58:47.388Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:materialx:1.39.2:-:*:*:*:*:*:*", "matchCriteriaId": "2FE3ABEE-CE46-4ADF-85C7-A5A99FCF30F0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3."}, {"lang": "es", "value": "MaterialX es un est\u00e1ndar abierto para el intercambio de contenido de desarrollo visual y de materiales enriquecidos entre aplicaciones y renderizadores. En la versi\u00f3n 1.39.2, al analizar nodos de sombreado en un archivo MTLX, el c\u00f3digo de MaterialXCore accede a un puntero potencialmente nulo, lo que puede provocar fallos con archivos maliciosos. Un atacante podr\u00eda bloquear intencionalmente un programa objetivo que use MaterialX enviando un archivo MTLX malicioso. Esto se solucion\u00f3 en la versi\u00f3n 1.39.3."}], "id": "CVE-2025-53011", "lastModified": "2025-08-20T21:24:15.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-01T18:15:54.827", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}