What is the CVSS score of EUVD-2025-209620?

EUVD-2025-209620 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Is there a patch available for EUVD-2025-209620?

Yes, a patch is available for EUVD-2025-209620. Update the affected software to the latest version immediately.

Assimp EUVD-2025-209620

| CVE-2025-70070 MEDIUM

NULL Pointer Dereference (CWE-476)

2026-05-04 mitre

Denial Of Service Null Pointer Dereference Red Hat Suse

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 04, 2026 - 17:15 vuln.today

CVSS changed

May 04, 2026 - 16:22 NVD

6.5 (MEDIUM)

EUVD ID Assigned

May 04, 2026 - 15:00 euvd

EUVD-2025-209620

Analysis Generated

May 04, 2026 - 15:00 vuln.today

CVE Published

May 04, 2026 - 00:00 nvd

MEDIUM 6.5

DescriptionNVD

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry()

AnalysisAI

Denial of service vulnerability in Assimp 6.0.2 via null pointer dereference in FBXMeshGeometry.cpp MeshGeometry constructor allows remote attackers to crash applications processing malicious FBX files. Requires user interaction (opening/processing a crafted file) but affects any application using the vulnerable library version. Publicly available exploit code exists; CVSS 6.5 reflects network attack vector with user interaction requirement.

Technical ContextAI

Assimp (Open Asset Import Library) is a 3D model import library supporting multiple formats including FBX. The vulnerability exists in the FBX geometry processing code (FBXMeshGeometry.cpp), specifically in the MeshGeometry constructor which handles mesh data parsing. A null pointer dereference (CWE-476) occurs during FBX mesh geometry initialization, indicating the code fails to validate or check for null pointers before dereferencing them. This typically happens when parsing specially crafted FBX files with malformed mesh geometry data that causes expected structures to be absent or improperly initialized.

RemediationAI

Upgrade Assimp to a patched version newer than 6.0.2 if available from the project repository (http://assimp.com). As no specific patched version number is confirmed in provided data, verify the latest stable release on the official Assimp GitHub or website. Until patching is possible, implement file validation: restrict FBX file processing to known-good files from trusted sources, disable automatic FBX loading in user-facing applications, and run Assimp-dependent services in sandboxed environments with resource limits (memory caps, process timeout) to contain denial of service impact. Server-side applications should implement upload validation to reject suspicious FBX files before parsing. Note: these workarounds do not eliminate the vulnerability but reduce exploitability in production environments.