Skip to main content

Open Asset Import Library Assimp CVE-2025-11277

LOW
Buffer Overflow (CWE-119)
2025-10-05 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:51 vuln.today

DescriptionCVE.org

A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Heap-based buffer overflow in Assimp 6.0.2's Q3D file importer allows local authenticated users to cause memory corruption via crafted Q3D model files. The vulnerability affects the Q3DImporter::InternReadFile function and has publicly available exploit code, though real-world exploitation remains limited due to local access and low privilege requirement constraints. CVSS 1.9 reflects minimal confidentiality, integrity, and availability impact despite the presence of a public POC.

Technical ContextAI

The vulnerability exists in Assimp's Q3D asset import module (assimp/code/AssetLib/Q3D/Q3DLoader.cpp), which parses proprietary Q3D 3D model files. The Q3DImporter::InternReadFile function fails to properly validate input buffer sizes during Q3D file parsing, triggering a heap-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer). Assimp is a widely-used C++ library for importing 3D asset formats across game engines, graphics applications, and content creation tools. The Q3D format is a legacy format with limited modern adoption, reducing real-world exposure.

RemediationAI

Apply the latest patched version of Assimp released after CVE-2025-11277 disclosure; consult the official Assimp GitHub repository (https://github.com/assimp/assimp) for exact fix version information. For applications unable to immediately upgrade, implement input validation on Q3D file uploads by restricting the Q3D importer to known-safe file sources and blocking Q3D format imports if not essential to application functionality. If Q3D support is required, enforce strict file size limits on Q3D input and run Assimp import operations in a sandboxed or isolated process with minimal privileges to contain potential memory corruption. Note that workload isolation increases operational complexity and may impact performance; evaluate whether disabling Q3D import entirely is feasible for your deployment. Monitor Assimp release notes and security advisories via https://github.com/assimp/assimp/security for official patch availability and version guidance.

More in Assimp

View all
CVE-2024-48423 HIGH POC
7.8 Oct 24

An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function wi

CVE-2022-38528 MEDIUM POC
6.5 Sep 06

Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component A

CVE-2024-53425 MEDIUM POC
6.2 Nov 21

A heap-buffer-overflow vulnerability was discovered in the SkipSpacesAndLineEnd function in Assimp v5.4.3. Rated medium

CVE-2024-48426 MEDIUM POC
6.2 Oct 24

A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz t

CVE-2024-48425 MEDIUM POC
5.5 Oct 24

A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the

CVE-2024-48424 MEDIUM POC
5.5 Oct 24

A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp

CVE-2025-3016 MEDIUM POC
5.3 Mar 31

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CV

CVE-2025-2752 MEDIUM POC
5.3 Mar 25

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.h of the component CSM

CVE-2025-3015 MEDIUM POC
5.3 Mar 31

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

CVE-2025-2592 MEDIUM POC
5.3 Mar 21

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3.cpp. Rated m

CVE-2025-2757 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CVSS

CVE-2025-2756 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

Share

CVE-2025-11277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy