Description
A flaw has been found in Assimp up to 6.0.4. Affected by this vulnerability is the function Assimp::glTFImporter::ImportMeshes of the file glTFImporter.cpp of the component glTFImporter. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been published and may be used. The project tagged the reported issue as bug.
Published: 2026-05-31
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference has been identified in the ImportMeshes function of the glTFImporter component of Assimp. When an untrusted glTF file is processed, the code can dereference a null pointer, causing the application to crash or terminate prematurely. The flaw falls under CWE‑476 and may also be considered a CWE‑404 issue involving improper resource release. The primary consequence is a denial‑of‑service for local users; no data is disclosed or privileges elevated.

Affected Systems

The vulnerability exists in all Assimp releases up to and including version 6.0.4. Systems that embed this library and import user‑supplied glTF assets—such as game engines, 3‑D content pipelines, CAD viewers, and multimedia players—are potentially affected.

Risk and Exploitability

The CVSS score of 4.8 reflects moderate severity, limited to local execution. No EPSS data are available, but publicly available proof‑of‑concept code demonstrates that an attacker can easily supply a crafted glTF file to trigger the crash. Although the exploit does not provide remote code execution or privilege escalation, it can be used to repeatedly deny service by crashing the importing process. The vulnerability is listed as not included in CISA KEV, implying no known widespread exploitation at this time.

Generated by OpenCVE AI on May 31, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Assimp to a revision newer than 6.0.4 that includes the null‑pointer dereference fix.
  • If an upgrade is not possible immediately, block or fully validate all incoming glTF files before they reach ImportMeshes, ensuring only well‑formed assets are processed.
  • Insert runtime checks in the application to verify that any pointer returned from ImportMeshes is non‑null before usage.
  • Implement process isolation or a watchdog to detect and recover from application crashes promptly.

Generated by OpenCVE AI on May 31, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Assimp up to 6.0.4. Affected by this vulnerability is the function Assimp::glTFImporter::ImportMeshes of the file glTFImporter.cpp of the component glTFImporter. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been published and may be used. The project tagged the reported issue as bug.
Title Assimp glTFImporter glTFImporter.cpp ImportMeshes null pointer dereference
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-404
CWE-476
CPEs cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*
Vendors & Products Assimp
Assimp assimp
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T22:15:12.239Z

Reserved: 2026-05-31T06:13:37.737Z

Link: CVE-2026-10198

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T23:16:41.760

Modified: 2026-05-31T23:16:41.760

Link: CVE-2026-10198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T23:30:14Z

Weaknesses