Skip to main content

CVE-2026-29628

| EUVDEUVD-2026-21926 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-04-13 mitre
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 15, 2026 - 12:46 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
6.2 (None) 6.2 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 14:45 euvd
EUVD-2026-21926
Analysis Generated
Apr 13, 2026 - 14:45 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
MEDIUM 6.2

DescriptionCVE.org

A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.

AnalysisAI

Stack overflow in tinyobjloader's experimental MTL file parser (tinyobj_loader_opt.h) allows local attackers to trigger denial of service by supplying a malformed .mtl file. The vulnerability affects the library's material file parsing logic and crashes the application via stack memory corruption, though with EPSS score of 0.01% and no confirmed active exploitation, real-world risk is minimal despite the moderate CVSS 6.2 rating.

Technical ContextAI

tinyobjloader is a lightweight C++ single-header library for parsing Wavefront OBJ and MTL (material) files commonly used in 3D graphics applications. The vulnerability resides in the experimental optimization header (tinyobj_loader_opt.h), specifically in the stack-based buffer handling during MTL file parsing. CWE-121 (stack-based buffer overflow) indicates that fixed-size stack buffers in the material file parser do not properly validate the size of user-supplied data before copying, allowing an oversized or specially-crafted MTL material definition to overflow the stack frame and corrupt adjacent memory.

RemediationAI

Update tinyobjloader to commit 386b73bb8c1a855236beb73b11f45f7feac4e03a or later, which patches the stack overflow in the MTL parser. Developers should pull the latest version from https://github.com/kiyochii/tinyobjloader and rebuild their applications. As an interim mitigation, if updating is not immediately feasible, disable or restrict processing of MTL files from untrusted sources, or run 3D model loading in a sandboxed process with restricted file system and memory access. Review application code to ensure user-supplied or network-downloaded MTL files are validated for size and format before processing by tinyobjloader.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-29628 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy