Skip to main content

Open Asset Import Library Assimp CVE-2025-11274

LOW
Uncontrolled Resource Consumption (CWE-400)
2025-10-05 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:31 vuln.today

DescriptionCVE.org

A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Assimp 6.0.2 Q3D file parser mishandles resource allocation in the Q3DImporter::InternReadFile function, causing denial of service through uncontrolled memory consumption when processing malformed Q3D model files. A local authenticated attacker can trigger excessive memory allocation by providing a specially crafted Q3D file, leading to process crash or system resource exhaustion. Publicly available exploit code exists, though CVSS 1.9 and EPSS 0.03% indicate minimal real-world exploitation risk.

Technical ContextAI

Assimp is a widely-used open-source 3D model import library supporting dozens of file formats including Q3D (Quake3 Arena model format). The vulnerability resides in the Q3DLoader.cpp parser component, specifically the InternReadFile function responsible for deserializing Q3D binary/text data into memory structures. CWE-400 (uncontrolled resource consumption) indicates insufficient validation of file-provided size fields or array dimensions before allocation, allowing an attacker to cause the parser to request enormous memory blocks. The Q3D format likely contains fields specifying mesh dimensions, vertex counts, or texture sizes that are not validated before being used in malloc/new calls, enabling a resource exhaustion attack vector.

RemediationAI

Upgrade to a patched version of Assimp if available from the upstream repository (https://github.com/assimp/assimp). At time of analysis, exact fix version numbers are not provided in available data; check the GitHub repository's releases page and issue #6356 for confirmation of a patched version. Until a patch is available or applicable, implement input validation: disable Q3D format loading in Assimp if not required for your application (most Assimp installations do not require Q3D support), or restrict Assimp's file processing to run with memory limits using OS-level resource controls (ulimit on Linux, Job Objects on Windows) to cap virtual memory and prevent system-wide exhaustion. If Assimp is exposed via a web service or batch processing system, enforce a timeout on parsing operations and validate incoming files against known Q3D specifications before passing them to the parser.

More in Assimp

View all
CVE-2024-48423 HIGH POC
7.8 Oct 24

An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function wi

CVE-2022-38528 MEDIUM POC
6.5 Sep 06

Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component A

CVE-2024-53425 MEDIUM POC
6.2 Nov 21

A heap-buffer-overflow vulnerability was discovered in the SkipSpacesAndLineEnd function in Assimp v5.4.3. Rated medium

CVE-2024-48426 MEDIUM POC
6.2 Oct 24

A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz t

CVE-2024-48425 MEDIUM POC
5.5 Oct 24

A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the

CVE-2024-48424 MEDIUM POC
5.5 Oct 24

A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp

CVE-2025-3016 MEDIUM POC
5.3 Mar 31

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CV

CVE-2025-2752 MEDIUM POC
5.3 Mar 25

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.h of the component CSM

CVE-2025-3015 MEDIUM POC
5.3 Mar 31

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

CVE-2025-2592 MEDIUM POC
5.3 Mar 21

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3.cpp. Rated m

CVE-2025-2757 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CVSS

CVE-2025-2756 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

Share

CVE-2025-11274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy