Skip to main content

Blender CVE-2026-60103

MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-13 VulnCheck
6.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

File-open triggers the flaw locally (AV:L, UI:R); no privileges needed; crash is primary impact (A:H) with limited heap read (C:L); no integrity impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 19:44 vuln.today
CVE Published
Jul 13, 2026 - 17:44 cve.org
MEDIUM 6.8

DescriptionCVE.org

Blender 3.0.0 through 5.1.2 contains an out-of-bounds read vulnerability that allows attackers to trigger a crash or read adjacent heap memory by supplying a crafted .blend file with a malicious signed short member_index value in the SDNA block. The member_index field is used as an array index into the sdna->members[] array in sdna_expand_names() without bounds validation, allowing any value outside the allocated range to produce an invalid pointer subsequently passed to strlen(), resulting in a SIGSEGV crash or unintended heap memory disclosure.

AnalysisAI

Out-of-bounds read in Blender 3.0.0 through 5.1.2 allows an attacker to crash the application or disclose heap memory contents by convincing a user to open a specially crafted .blend file containing a malicious member_index value in the SDNA block. The vulnerability stems from missing bounds validation on a signed short index used directly as an array subscript in sdna_expand_names(), enabling both denial-of-service via SIGSEGV and limited heap memory disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft .blend file with malformed SDNA member_index
Delivery
Deliver file to target via social engineering
Exploit
Target opens file in Blender
Execution
sdna_expand_names() uses unchecked index
Persist
Invalid pointer passed to strlen()
Impact
SIGSEGV crash or heap memory read

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to open a crafted .blend file in Blender 3.0.0 through 5.1.2; this is the sole prerequisite and is encoded in the CVSS vector as UI:A (active user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.8 reflects a local, user-interaction-required attack with high availability impact and low confidentiality impact - accurately capturing the realistic threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a .blend file with a malformed SDNA block containing a member_index value outside the valid range of the sdna->members[] array, then delivers it to a Blender user via email attachment, file-sharing platform, or a compromised asset repository. When the target opens the file, sdna_expand_names() dereferences the invalid pointer, either crashing Blender (SIGSEGV) or reading and potentially exposing adjacent heap contents. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - monitor the Blender release page and apply the next stable release once it incorporates commit 968972a918b5ed2d534295b639c54449d7de11cd, referenced at https://projects.blender.org/blender/blender/commit/968972a918b5ed2d534295b639c54449d7de11cd. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy