Description
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.
Published: 2026-03-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and possible memory disclosure
Action: Assess Impact
AI Analysis

Impact

An integer overflow in the cgltf_validate() function occurs during sparse accessor validation. When attacker-controlled GLTF or GLB files contain oversized length fields, unchecked arithmetic in cgltf_calc_index_bound() can overflow the bound calculation, resulting in heap buffer over-reads. The resulting out-of-bounds reads may crash the hosting application or expose memory contents, compromising confidentiality and availability.

Affected Systems

The vulnerability affects the cgltf library version 1.15 and earlier. Applications that link against jkuhlmann's cgltf 1.15 or older and load user‑supplied GLTF/GLB files are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. Although the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, attackers can leverage malicious model files that the application imports. The attack vector is inferred from the description as a local or remote file‑submission attack where the attacker supplies a crafted GLTF file to trigger the overflow. Exploitation requires that the target application use the vulnerable library without protecting against oversized sparse accessor sizes.

Generated by OpenCVE AI on March 23, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a cgltf version newer than 1.15 when available.
  • If an upgrade is not immediately possible, validate or sanitize GLTF/GLB input before passing it to cgltf_validate(), rejecting sparse accessors with unexpected size values.
  • Monitor applications for abnormal crashes or memory disclosure indicators that could result from buffer over‑reads.
  • Confirm patch availability from the vendor’s repository and apply the fix as soon as it is released.

Generated by OpenCVE AI on March 23, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Jkuhlmann
Jkuhlmann cgltf
Vendors & Products Jkuhlmann
Jkuhlmann cgltf

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.
Title jkuhlmann / cgltf <= 1.15 Sparse Accessor Validation Integer Overflow
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jkuhlmann Cgltf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T15:12:59.848Z

Reserved: 2026-03-16T18:11:41.758Z

Link: CVE-2026-32845

cve-icon Vulnrichment

Updated: 2026-03-23T17:11:44.957Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T16:16:48.583

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-32845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:30Z

Weaknesses