Open Asset Import Library Assimp CVE-2025-11274
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Assimp 6.0.2 Q3D file parser mishandles resource allocation in the Q3DImporter::InternReadFile function, causing denial of service through uncontrolled memory consumption when processing malformed Q3D model files. A local authenticated attacker can trigger excessive memory allocation by providing a specially crafted Q3D file, leading to process crash or system resource exhaustion. Publicly available exploit code exists, though CVSS 1.9 and EPSS 0.03% indicate minimal real-world exploitation risk.
Technical ContextAI
Assimp is a widely-used open-source 3D model import library supporting dozens of file formats including Q3D (Quake3 Arena model format). The vulnerability resides in the Q3DLoader.cpp parser component, specifically the InternReadFile function responsible for deserializing Q3D binary/text data into memory structures. CWE-400 (uncontrolled resource consumption) indicates insufficient validation of file-provided size fields or array dimensions before allocation, allowing an attacker to cause the parser to request enormous memory blocks. The Q3D format likely contains fields specifying mesh dimensions, vertex counts, or texture sizes that are not validated before being used in malloc/new calls, enabling a resource exhaustion attack vector.
RemediationAI
Upgrade to a patched version of Assimp if available from the upstream repository (https://github.com/assimp/assimp). At time of analysis, exact fix version numbers are not provided in available data; check the GitHub repository's releases page and issue #6356 for confirmation of a patched version. Until a patch is available or applicable, implement input validation: disable Q3D format loading in Assimp if not required for your application (most Assimp installations do not require Q3D support), or restrict Assimp's file processing to run with memory limits using OS-level resource controls (ulimit on Linux, Job Objects on Windows) to cap virtual memory and prevent system-wide exhaustion. If Assimp is exposed via a web service or batch processing system, enforce a timeout on parsing operations and validate incoming files against known Q3D specifications before passing them to the parser.
An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function wi
Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component A
A heap-buffer-overflow vulnerability was discovered in the SkipSpacesAndLineEnd function in Assimp v5.4.3. Rated medium
A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz t
A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the
A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp
A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CV
A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.h of the component CSM
A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (
A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3.cpp. Rated m
A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CVSS
A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today