Description
A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
Published: 2026-04-13
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A stack overflow in tinyobjloader’s experimental/tinyobj_loader_opt.h file allows a crafted .mtl file to overflow the stack during parsing. The overflow causes the application using the library to crash, resulting in a denial‑of‑service condition. The flaw is a classic stack-based buffer overflow, categorized as CWE‑121.

Affected Systems

The vulnerable code exists in the experimental/tinyobj_loader_opt.h header of the tinyobjloader library in commit d56555b. Any software that compiles this header or uses the experimental optimized loader can be impacted. Vendor and product information is not provided by the CNA, so the vulnerability may affect any custom or third‑party applications that ship with this library. No specific version numbers are listed, but the issue exists in all builds that contain the problematic code before the patch.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred: an attacker supplies a maliciously crafted .mtl file to the victim application, which then passes it to tinyobjloader, causing a crash. This vector does not require authentication and results only in service disruption, not code execution or data compromise.

Generated by OpenCVE AI on April 13, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched version of tinyobjloader that removes the vulnerable code.
  • If patching is not possible, avoid compiling or including experimental/tinyobj_loader_opt.h and use the stable loader path instead.
  • Validate and sanitize incoming .mtl files before handing them to the library, rejecting files that exceed size limits or contain suspicious entries.
  • Run the parsing routine in a sandboxed or monitored process to contain potential crashes.

Generated by OpenCVE AI on April 13, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stack Overflow in tinyobjloader Causing DoS via Crafted MTL File

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Kiyochii
Kiyochii tinyobjloader
Vendors & Products Kiyochii
Kiyochii tinyobjloader

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
References

Subscriptions

Kiyochii Tinyobjloader
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T19:04:06.916Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29628

cve-icon Vulnrichment

Updated: 2026-04-13T19:03:28.169Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T15:17:19.673

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-29628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:00Z

Weaknesses