Skip to main content

Assimp CVE-2026-10197

| EUVD-2026-33519 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-05-31 cna@vuldb.com GHSA-2r76-r3fx-jwv2
Denial Of Service
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 31, 2026 - 22:31 vuln.today
Analysis Generated
May 31, 2026 - 22:31 vuln.today

DescriptionCVE.org

A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance.

AnalysisAI

Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local attacker to crash any application embedding the library by supplying a malformed glTF2 asset. The vulnerable function ImportEmbeddedTextures performs pointer arithmetic on the return value of strchr() before checking for null, meaning a glTF2 embedded texture with a MIME type lacking a '/' character triggers undefined behavior and a process crash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access or submit crafted file via upload interface
Delivery
Craft glTF2 with mimeType missing '/' character
Exploit
Application invokes Assimp glTF2 importer
Execution
ImportEmbeddedTextures performs null pointer arithmetic
Persist
Process crashes with null dereference
Impact
Target application unavailable (DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the target system (AV:L per CVSS vector) and the ability to supply a crafted glTF2 file to an application using Assimp for 3D asset loading; low-privilege local account access is sufficient (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this at 1.9 with vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L, indicating local access with low privileges is required, no confidentiality or integrity impact, and only limited availability impact (application crash). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access crafts a glTF2 file containing an embedded texture with a malformed `mimeType` value that omits the '/' delimiter (e.g., `imagepng` instead of `image/png`). When a target application using Assimp ≤ 6.0.4 calls the glTF2 importer to load this file, `ImportEmbeddedTextures` invokes `strchr()` on the MIME type, receives `nullptr`, then adds 1 to that pointer before any null check, crashing the process. …
Remediation No vendor-released patched version is confirmed at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10197 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy