Description
A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Published: 2026-06-01
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free weakness has been identified in the Assimp library, affecting releases up to 6.0.4. The defect is located in the destructor of the aiNode class within the ASE file parser module (scene.cpp). When parsing an ASE file, the destructor incorrectly accesses memory that has already been freed, enabling a local attacker to manipulate program execution or cause a crash. The description explicitly notes that the issue can lead to use after free and that an exploit has been publicly released.

Affected Systems

The vulnerability impacts any installation of Assimp version 6.0.4 or earlier that uses the ASE file parser to load asset files. Assimp is commonly embedded in gaming, simulation, and content creation applications. Users should check the version of the library they depend on and determine whether the ASE import functionality is in use.

Risk and Exploitability

The CVSS score of 4.8 places this defect in the medium severity range. Because the exploit is local and requires a crafted ASE file, attackers must have the ability to supply malicious files to the affected application. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating limited public exploitation. Nonetheless, in environments where untrusted ASE files are processed, the risk of memory corruption or program instability remains.

Generated by OpenCVE AI on June 1, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the version of Assimp in use and confirm whether the application performs ASE file parsing
  • If the version is 6.0.4 or older and a patched release is available, update the library to the latest stable revision that resolves the destructor issue
  • If an immediate update is not feasible, block or remove ASE file parsing or restrict file ingestion to trusted sources only
  • Run applications that handle potential malicious ASE files in a sandboxed or isolated environment to contain any impact

Generated by OpenCVE AI on June 1, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Title Assimp ASE File scene.cpp ~aiNode use after free
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-119
CWE-416
CPEs cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*
Vendors & Products Assimp
Assimp assimp
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T06:30:10.110Z

Reserved: 2026-05-31T08:11:02.037Z

Link: CVE-2026-10232

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T08:16:19.573

Modified: 2026-06-01T08:16:19.573

Link: CVE-2026-10232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T09:45:06Z

Weaknesses