Skip to main content

Assimp CVE-2026-14610

| EUVDEUVD-2026-41601 LOW
Heap-based Buffer Overflow (CWE-122)
2026-07-03 VulDB GHSA-rc6p-2pj8-p4v9
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Local-only vector requiring low-privilege file delivery to trigger CSM parsing; limited C/I/A impact with no scope change matches heap overflow with constrained impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jul 03, 2026 - 22:13 vuln.today
Severity Changed
Jul 03, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
Jul 03, 2026 - 21:22 NVD
4.8 (MEDIUM) 1.9 (LOW)
Severity Changed
Jul 03, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
Jul 03, 2026 - 21:22 NVD
4.8 (MEDIUM) 1.9 (LOW)

DescriptionCVE.org

A flaw has been found in Open Asset Import Library Assimp up to 6.0.5. Impacted is the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. Patch name: eb84eec580d3f4ba2f0fd87409b7d0744620f11e. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Heap-based buffer overflow in Assimp's CSM file handler (versions 6.0.0-6.0.5) allows a local low-privileged attacker to corrupt heap memory by supplying a crafted Character Studio Motion (CSM) file to any application that uses the library for asset import. The flaw exists in Assimp::CSMImporter::InternReadFile within code/AssetLib/CSM/CSMLoader.cpp and affects all Assimp 6.0.x releases confirmed by EUVD-2026-41601. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege local system access
Delivery
Place or deliver crafted CSM file
Exploit
Trigger application to load CSM file via Assimp
Execution
InternReadFile overflows heap buffer in CSMLoader.cpp
Persist
Corrupt adjacent heap memory
Impact
Cause crash or limited memory corruption impact

Vulnerability AssessmentAI

Exploitation Exploitation strictly requires local execution context - the attacker must already have low-privileged interactive or scripted access to the target system (AV:L, PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 1.9 is driven primarily by the local-only attack vector (AV:L) and limited impact ratings (VC:L/VI:L/VA:L with no scope change), placing this well below critical priority from a raw score perspective. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged attacker with local access to a workstation running a 3D content tool (e.g., a game editor or asset converter) built with Assimp places or social-engineers delivery of a specially crafted CSM motion-capture file into the application's import directory. When the tool calls Assimp to parse the file, `CSMImporter::InternReadFile` writes beyond the bounds of a heap buffer, corrupting adjacent memory. …
Remediation Apply the upstream fix available at commit eb84eec580d3f4ba2f0fd87409b7d0744620f11e (https://github.com/assimp/assimp/commit/eb84eec580d3f4ba2f0fd87409b7d0744620f11e) via pull request #6649 (https://github.com/assimp/assimp/pull/6649). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Assimp

View all
CVE-2024-48423 HIGH POC
7.8 Oct 24

An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function wi

CVE-2022-38528 MEDIUM POC
6.5 Sep 06

Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component A

CVE-2024-53425 MEDIUM POC
6.2 Nov 21

A heap-buffer-overflow vulnerability was discovered in the SkipSpacesAndLineEnd function in Assimp v5.4.3. Rated medium

CVE-2024-48426 MEDIUM POC
6.2 Oct 24

A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz t

CVE-2024-48425 MEDIUM POC
5.5 Oct 24

A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the

CVE-2024-48424 MEDIUM POC
5.5 Oct 24

A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp

CVE-2025-3016 MEDIUM POC
5.3 Mar 31

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CV

CVE-2025-2752 MEDIUM POC
5.3 Mar 25

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.h of the component CSM

CVE-2025-3015 MEDIUM POC
5.3 Mar 31

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

CVE-2025-2592 MEDIUM POC
5.3 Mar 21

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3.cpp. Rated m

CVE-2025-2757 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CVSS

CVE-2025-2756 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

Share

CVE-2026-14610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy