Description
A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug.
Published: 2026-05-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the UV Channel Handler of Assimp’s FBXExporter can cause a divide‑by‑zero error when processing certain malformed data, leading to a crash of the exporter process and potential denial of service for applications that rely on this library. The weakness is a classic division by zero error as identified by CWE‑369 and an improper release of unmanaged resources (CWE‑404). The description does not indicate leakage of sensitive data or execution of arbitrary code, so the impact is limited to availability.

Affected Systems

Assimp versions up to and including 6.0.4 are affected. The flaw resides in the FBXExporter component within the UV Channel Handler module. Applications that embed or depend on Assimp 6.0.4 or earlier for importing or exporting FBX files may experience crashes if they process specially crafted input files.

Risk and Exploitability

The CVSS score of 4.8 places this vulnerability in the moderate range. Since the attack vector is local, the threat is confined to environments where an attacker can run code on the same machine as the exporter. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, indicating limited public exploitation. Nonetheless, the crash could disrupt service continuity and should be treated as a service‑availability risk; applying the latest fix is the recommended response.

Generated by OpenCVE AI on June 1, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Assimp to version 6.0.5 or later, which contains the reported fix for the UV Channel Handler divide‑by‑zero error.
  • If an upgrade is not immediately possible, disable or remove the UV channel export functionality in your application to eliminate the code path that triggers the flaw.
  • Control local access to the application so that only trusted users can execute code that passes user‑supplied data through the vulnerable FBXExporter component.

Generated by OpenCVE AI on June 1, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 31 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug.
Title Assimp UV Channel FBXExporter.cpp WriteObjects divide by zero
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-369
CWE-404
CPEs cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*
Vendors & Products Assimp
Assimp assimp
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T14:56:38.513Z

Reserved: 2026-05-31T06:13:45.576Z

Link: CVE-2026-10201

cve-icon Vulnrichment

Updated: 2026-06-02T14:56:34.728Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T00:16:41.927

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10201

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-31T23:00:12Z

Links: CVE-2026-10201 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T00:30:15Z

Weaknesses
  • CWE-369

    Divide By Zero

  • CWE-404

    Improper Resource Shutdown or Release