Description
An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry()
Published: 2026-05-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a denial of service in Assimp 6.0.2. A crafted FBX file that exploits a flaw in the FBXMeshGeometry.cpp constructor can cause the library to allocate excessive resources or crash. This flaw corresponds to a NULL pointer dereference scenario (CWE-476). Applications relying on this version can lose availability, leading to degraded user experience or business disruption.

Affected Systems

The flaw affects the Assimp library version 6.0.2, which is bundled in many 3D applications, game engines, and content pipelines. Any software that loads FBX files via this version is potentially vulnerable. Vendor details are not disclosed, but any product that ships with Assimp 6.0.2 is at risk.

Risk and Exploitability

The CVSS score is 6.5 and no EPSS value is available, so the exploit likelihood cannot be quantified. The issue is not in the CISA KEV catalog. An attacker can provide a malicious FBX file to the vulnerable application, triggering the constructor and forcing the process to crash or consume excessive memory. The attack can be performed remotely over the network by exploiting any exposed interface that accepts FBX files.

Generated by OpenCVE AI on May 4, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Assimp to a supported version that includes the FBXMeshGeometry parser fix.
  • If an upgrade is not immediately possible, disable or restrict loading of FBX files from untrusted sources, and validate file size and structure before processing.
  • Deploy process isolation or sandboxing for the library to limit the impact of a denial of service, and monitor memory usage to detect abnormal consumption.

Generated by OpenCVE AI on May 4, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Assimp 6.0.2 Denial of Service via FBX Mesh Geometry Null Dereference Assimp: Assimp: Denial of Service via FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry()
Weaknesses CWE-617
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Assimp 6.0.2 Denial of Service via FBX Mesh Geometry Null Dereference

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Denial of Service in Assimp 6.0.2 via FBX Mesh Geometry Parser
Weaknesses CWE-400

Mon, 04 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Denial of Service in Assimp 6.0.2 via FBX Mesh Geometry Parser
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-400
Vendors & Products Assimp
Assimp assimp

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry()
References

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T15:26:04.832Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70070

cve-icon Vulnrichment

Updated: 2026-05-04T15:24:26.709Z

cve-icon NVD

Status : Received

Published: 2026-05-04T15:16:03.360

Modified: 2026-05-04T16:16:00.863

Link: CVE-2025-70070

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-04T00:00:00Z

Links: CVE-2025-70070 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:00:07Z

Weaknesses