How to fix CVE-2025-6120?

Within 30 days: Identify affected systems running Open Asset Import Library Assimp and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Ubuntu affected by CVE-2025-6120?

Organizations using Open Asset Import Library Assimp should be aware of moderate risk from CVE-2025-6120, a buffer overflow vulnerability rated CVSS 5.3. Exploitation could cause memory corruption or application crashes. Proof-of-concept code is publicly available.

CVE-2025-6120

EUVD-2025-18386 MEDIUM

2025-06-16 [email protected]

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18386

PoC Detected

Jun 17, 2025 - 19:37 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 12:15 nvd

MEDIUM 5.3

Description

A vulnerability classified as critical was found in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function read_meshes in the library assimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.

Analysis

Technical Context

A buffer overflow occurs when data written to a buffer exceeds its allocated size, potentially overwriting adjacent memory and corrupting program state.

Affected Products

Affected products: Assimp Assimp

Remediation

Use memory-safe languages or bounds-checked functions. Enable ASLR, DEP/NX, and stack canaries. Apply vendor patches promptly.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +26

POC: +20

Vendor Status

Ubuntu

Priority: Medium

assimp

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
plucky	ignored	end of life, was needs-triage
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-

Debian

Bug #1107936

assimp

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	5.0.1~ds0-2	-
bookworm	vulnerable	5.2.5~ds0-1	-
trixie	vulnerable	5.4.3+ds-2	-
forky, sid	vulnerable	6.0.4+ds-1	-
(unstable)	fixed	(unfixed)	-

CVE-2025-6120 vulnerability details – vuln.today

Back

CVE-2025-6120

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-6120

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code