Description
A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Published: 2026-06-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free weakness has been identified in the Assimp library, affecting releases up to 6.0.4. The defect is located in the destructor of the aiNode class within the ASE file parser module (scene.cpp). When parsing an ASE file, the destructor incorrectly accesses memory that has already been freed, enabling a local attacker to manipulate program execution or cause a crash. The description explicitly notes that the issue can lead to use after free and that an exploit has been publicly released.

Affected Systems

The vulnerability impacts any installation of Assimp version 6.0.4 or earlier that uses the ASE file parser to load asset files. Assimp is commonly embedded in gaming, simulation, and content creation applications. Users should check the version of the library they depend on and determine whether the ASE import functionality is in use.

Risk and Exploitability

The CVSS score of 4.8 places this defect in the medium severity range. Because the exploit is local and requires a crafted ASE file, attackers must have the ability to supply malicious files to the affected application. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV, suggesting limited public exploitation. Nonetheless, in environments where untrusted ASE files are processed, the risk of memory corruption or program instability remains.

Generated by OpenCVE AI on June 11, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If the version is 6.0.4 or older and a patched release is available, update the library to the latest stable revision that resolves the destructor issue
  • If an immediate update is not feasible, block or remove ASE file parsing or restrict file ingestion to trusted sources only
  • Run applications that handle potential malicious ASE files in a sandboxed or isolated environment to contain any impact

Generated by OpenCVE AI on June 11, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Title Assimp ASE File scene.cpp ~aiNode use after free
First Time appeared Assimp
Assimp assimp
Weaknesses CWE-119
CWE-416
CPEs cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*
Vendors & Products Assimp
Assimp assimp
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assimp Assimp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T15:05:11.890Z

Reserved: 2026-05-31T08:11:02.037Z

Link: CVE-2026-10232

cve-icon Vulnrichment

Updated: 2026-06-02T15:05:07.630Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T08:16:19.573

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10232

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-01T06:30:10Z

Links: CVE-2026-10232 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:30:02Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-416

    Use After Free

  • CWE-825

    Expired Pointer Dereference