EUVD-2026-33521
GHSA-6rfw-vrjc-wff7
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.
AnalysisAI
Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local low-privileged attacker to crash any application that processes attacker-supplied 3D model files via the library. The flaw resides in the ImportAnimations() function, where glTF2::LazyDict::operator[] is invoked with animation channel node indices that are never validated for validity before dereferencing, producing a CWE-476 null pointer dereference and denial-of-service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have local system access and at minimum low-level privileges (PR:L per CVSS vector) sufficient to place or supply a malicious glTF2 file that the target application will attempt to import using Assimp. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.3 (Low) is consistent with the actual threat profile: local attack vector (AV:L) requires physical or authenticated shell access, low complexity (AC:L) means no special conditions beyond file placement, low privileges (PR:L) confirm an unprivileged local user can trigger it, and impact is strictly limited to low availability (A:L) with zero confidentiality or integrity effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with low-privileged shell access places a crafted glTF2 file - constructed with animation channels referencing invalid or nonexistent node indices - into a directory monitored or opened by a target application such as a 3D content editor, game engine asset pipeline, or automated media processor. When the application invokes Assimp to import the file, `ImportAnimations()` calls `LazyDict::operator[]` with the invalid index, obtains a null reference, and crashes upon dereferencing it in `CreateNodeAnim()`. … |
| Remediation | The upstream fix is available as commit d24b85319bd70c65883a2b96613e07e23fb95981, delivered through pull request #6646 at https://github.com/assimp/assimp/pull/6646. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today