Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.
AnalysisAI
cgltf versions 1.15 and earlier are vulnerable to integer overflow in sparse accessor validation that enables local attackers to craft malicious glTF/GLB files triggering heap buffer over-reads. Exploitation causes denial of service through application crashes and may leak sensitive memory contents. No patch is currently available for this high-severity vulnerability (CVSS 8.4).
Technical ContextAI
cgltf is a single-file C99 glTF/GLB parser library developed by jkuhlmann, widely used for 3D model file processing in graphics engines, game development frameworks, and digital asset pipelines. The vulnerability resides specifically in the cgltf_validate() function's handling of sparse accessors, which are a glTF feature that optimize storage of sparse data by only storing non-default values. The root cause is classified under CWE-190 (Integer Overflow or Wraparound), manifesting in the cgltf_calc_index_bound() calculation function where attacker-controlled size fields in the sparse accessor definition are used in arithmetic operations without proper overflow checks. When an integer overflow occurs during these calculations, the resulting value can be used to compute incorrect buffer bounds, leading to heap buffer over-reads when the validation logic attempts to access sparse accessor data.
RemediationAI
Upgrade cgltf to a version newer than 1.15 once a patched release is available from the official repository. Users should monitor the jkuhlmann/cgltf GitHub repository at https://github.com/jkuhlmann/cgltf for security patches and review the VulnCheck advisory at https://www.vulncheck.com/advisories/jkuhlmann-cgltf-sparse-accessor-validation-integer-overflow for detailed patch information. As an interim mitigation, applications processing untrusted glTF/GLB files should implement file validation layers that verify sparse accessor size fields against document bounds before invoking cgltf_validate(), disable sparse accessor processing if not required for functionality, or restrict glTF file processing to trusted sources only. Additionally, sandboxing the glTF parsing process or running it in memory-protected environments can limit the impact of denial of service attacks.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14448