Description
An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components
Published: 2026-05-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in Assimp version 6.0.2 enables a remote attacker to trigger a denial of service by sending specially crafted FBX files to the FBXConverter::ConvertMeshMultiMaterial routine. The flaw causes out‑of‑bounds memory reads (CWE‑125), leading the library to crash or use excessive resources and preventing any further FBX processing. The resulting outage impacts application availability, with no evidence of confidentiality or integrity loss.

Affected Systems

The vulnerability specifically affects the Assimp library version 6.0.2. Any software that incorporates this library and uses the FBX conversion feature may be at risk if not updated.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so the exact exploitation likelihood cannot be quantified, but the remote trigger via an external FBX file suggests that attackers could exploit the flaw in environments where the conversion routine is exposed to untrusted input. The vulnerability is not listed in the CISA KEV catalog yet, but the potential for denial of service remains significant for systems that process FBX assets.

Generated by OpenCVE AI on May 4, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a recent release of Assimp that includes the FBXConverter fix, or upgrade to a version where the vulnerability is resolved.
  • Restrict access to the FBX conversion capability by limiting uploads to trusted users and implementing strict input validation.
  • Monitor logs for crashes or excessive resource usage during FBX import, and consider adding timeouts or sandboxing until a patch is deployed.

Generated by OpenCVE AI on May 4, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Assimp FBX Converter Out-of-Bounds Read Leads to Denial of Service Assimp: Assimp: Denial of Service via FBXConverter components
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 04 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Assimp FBX Converter Out-of-Bounds Read Leads to Denial of Service

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Assimp 6.0.2 Denial of Service via FBX Conversion
Weaknesses CWE-399

Mon, 04 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Assimp 6.0.2 Denial of Service via FBX Conversion
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-399
Vendors & Products Assimp
Assimp assimp

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components
References

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T15:18:52.574Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70072

cve-icon Vulnrichment

Updated: 2026-05-04T15:15:15.878Z

cve-icon NVD

Status : Received

Published: 2026-05-04T15:16:03.467

Modified: 2026-05-04T16:16:01.553

Link: CVE-2025-70072

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-04T00:00:00Z

Links: CVE-2025-70072 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:30:02Z

Weaknesses