Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
AnalysisAI
Stack overflow in tinyobjloader's experimental MTL file parser (tinyobj_loader_opt.h) allows local attackers to trigger denial of service by supplying a malformed .mtl file. The vulnerability affects the library's material file parsing logic and crashes the application via stack memory corruption, though with EPSS score of 0.01% and no confirmed active exploitation, real-world risk is minimal despite the moderate CVSS 6.2 rating.
Technical ContextAI
tinyobjloader is a lightweight C++ single-header library for parsing Wavefront OBJ and MTL (material) files commonly used in 3D graphics applications. The vulnerability resides in the experimental optimization header (tinyobj_loader_opt.h), specifically in the stack-based buffer handling during MTL file parsing. CWE-121 (stack-based buffer overflow) indicates that fixed-size stack buffers in the material file parser do not properly validate the size of user-supplied data before copying, allowing an oversized or specially-crafted MTL material definition to overflow the stack frame and corrupt adjacent memory.
RemediationAI
Update tinyobjloader to commit 386b73bb8c1a855236beb73b11f45f7feac4e03a or later, which patches the stack overflow in the MTL parser. Developers should pull the latest version from https://github.com/kiyochii/tinyobjloader and rebuild their applications. As an interim mitigation, if updating is not immediately feasible, disable or restrict processing of MTL files from untrusted sources, or run 3D model loading in a sandboxed process with restricted file system and memory access. Review application code to ensure user-supplied or network-downloaded MTL files are validated for size and format before processing by tinyobjloader.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21926