Description
A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.
Published: 2026-05-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Assimp’s glTF2Asset.h LazyDict function. Manipulating the argument operator[] can lead to a null pointer dereference, causing the application that loads the glTF file to crash. This results in a denial‑of‑service condition for processes that ingest the malicious file. The flaw is associated with CWE‑404 (Improper Resource Management) and CWE‑476 (Null Pointer Dereference). It does not grant remote code execution or compromise memory contents beyond the crash.

Affected Systems

All users of the Assimp library up to and including version 6.0.4 are impacted. The library is embedded in numerous 3D and game engines, media players, and other graphics tools (inferred). Any instance of Assimp that processes a crafted glTF file will be susceptible. The patch reference is commit d24b85319bd70c65883a2b96613e07e23fb95981.

Risk and Exploitability

The CVSS base score of 4.8 classifies the flaw as moderate. EPSS is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation. The attack vector is local: an attacker must supply a malicious glTF file to the target application. The required conditions are simple and low complexity, but the impact remains confined to a local denial of service.

Generated by OpenCVE AI on May 31, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Assimp to a version released after the patch identified by commit d24b85319bd70c65883a2b96613e07e23fb95981.
  • If an update is not immediately possible, validate or reject glTF files before they are parsed by the application to prevent the null pointer dereference.
  • In environments where the library cannot be updated, limit the scope of the Assimp parser to trusted data sources only, or isolate it within a sandbox that can tolerate a crash without compromising the entire system.

Generated by OpenCVE AI on May 31, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 31 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.
Title Assimp glTF2Asset.h LazyDict null pointer dereference
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-404
CWE-476
CPEs cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*
Vendors & Products Assimp
Assimp assimp
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T15:24:04.208Z

Reserved: 2026-05-31T06:13:40.131Z

Link: CVE-2026-10199

cve-icon Vulnrichment

Updated: 2026-06-01T15:15:06.386Z

cve-icon NVD

Status : Deferred

Published: 2026-05-31T23:16:42.413

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10199

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-31T22:30:11Z

Links: CVE-2026-10199 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T00:00:07Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release

  • CWE-476

    NULL Pointer Dereference