Description
A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore.
Published: 2026-02-18
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap‑based buffer overflow enabling local memory corruption
Action: Assess Impact
AI Analysis

Impact

A heap‑based buffer overflow exists in the stl_check_normal_vector function within ADMesh’s normals.c module. An attacker who can supply a crafted STL file while the program is running may overflow a memory buffer on the heap, potentially causing a crash or execution of malicious code. The flaw is triggered by local manipulation of input data and is not remotely exploitable. The underlying weaknesses correspond to CWE‑119 and CWE‑122, indicating improper bounds checking and buffer over‑run issues.

Affected Systems

The affected product is ADMesh by the admesh_project, versions up to 0.98.5. No downstream versions are listed, and the project appears to be unmaintained. Users of older releases that still process STL files from untrusted sources are at risk.

Risk and Exploitability

The CVSS base score is 4.8, reflecting a moderate severity for a local exploit. The EPSS indicates a very low but nonzero probability of exploitation (<1%), and the vulnerability is not listed in CISA’s KEV catalog. Because the code must be executed locally, a privileged or locally‑logged user could exploit the flaw, but remote attackers would be unable to trigger it unless they can run the software. Publicly available proof‑of‑concept exploits suggest that the risk is real for environments that permit local execution of untrusted STL files.

Generated by OpenCVE AI on April 17, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ADMesh to the most recent release if an update that fixes the overflow is available; if the project is no longer maintained, migrate to an actively supported slicing tool such as Cura or Slic3r.
  • Restrict the user accounts that can load or manipulate STL files, and validate or sanitize input files before passing them to ADMesh to reduce the chance of malformed data triggering the overflow.
  • Follow the community’s suggested workarounds from issue #65 on GitHub, applying any available patches or code changes that mitigate the overflow until a formal release is issued.

Generated by OpenCVE AI on April 17, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Admesh Project
Admesh Project admesh
CPEs cpe:2.3:a:admesh_project:admesh:*:*:*:*:*:*:*:*
Vendors & Products Admesh Project
Admesh Project admesh

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Admesh
Admesh admesh
Vendors & Products Admesh
Admesh admesh

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore.
Title admesh normals.c stl_check_normal_vector heap-based overflow
Weaknesses CWE-119
CWE-122
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Admesh Admesh
Admesh Project Admesh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:17:19.908Z

Reserved: 2026-02-18T06:30:08.519Z

Link: CVE-2026-2653

cve-icon Vulnrichment

Updated: 2026-02-18T20:27:35.700Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T11:16:32.770

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:10Z

Weaknesses