Skip to main content

Open CASCADE Technology EUVDEUVD-2026-26678

| CVE-2026-42481 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-01 mitre
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 19:23 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
5.5 (None) 5.5 (MEDIUM)
EUVD ID Assigned
May 01, 2026 - 15:45 euvd
EUVD-2026-26678
Analysis Generated
May 01, 2026 - 15:45 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
MEDIUM 5.5

DescriptionCVE.org

Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabilities in its IGES and STEP file parsers that can be triggered by crafted IGES or STEP files. These issues include an out-of-bounds read in Geom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, an out-of-bounds read in MakeBSplineCurveCommon during STEP B-spline curve construction, and infinite recursion in StepShape_OrientedEdge::EdgeStart when processing a self-referential OrientedEdge entity. Successful exploitation may result in denial of service or unintended memory disclosure.

AnalysisAI

Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple out-of-bounds read vulnerabilities and infinite recursion flaws in its IGES and STEP file parsers that can be triggered by maliciously crafted CAD files, resulting in denial of service or memory disclosure. Local attackers with low privilege can exploit these issues without user interaction by supplying crafted IGES or STEP files to applications using OCCT. EPSS-based risk assessment indicates moderate exploitation probability; CISA SSVC framework rates this as non-automated with partial technical impact (denial of service and information disclosure).

Technical ContextAI

Open CASCADE Technology is a 3D modeling kernel library widely used in CAD applications for parsing and processing IGES (Initial Graphics Exchange Specification) and STEP (Standard for the Exchange of Product Data) file formats. The vulnerabilities reside in critical parsing components: Geom2d_BSplineCurve::EvalD0 (IGES B-spline evaluation), MakeBSplineCurveCommon (STEP B-spline construction), and StepShape_OrientedEdge::EdgeStart (STEP entity resolution). The root cause is CWE-125 (out-of-bounds read), combined with improper recursion handling in entity reference resolution. These are core geometric computation routines exposed to untrusted file input.

RemediationAI

Exact patch version information is not provided in available data. Contact Open CASCADE Technology or monitor https://github.com/Open-Cascade-SRL for security updates. As immediate compensating controls: (1) restrict file submission to OCCT-dependent applications to trusted sources only (blocks untrusted IGES/STEP file ingestion); (2) run OCCT services in a sandboxed or containerized environment with resource limits (mitigates denial of service impact); (3) validate IGES/STEP files against schema before parsing if possible, though this adds computational overhead and may not catch all malformed inputs. Until a patched version is released, consider disabling IGES/STEP parsing if not essential to application functionality, or implement strict file size and complexity limits to reduce parsing time.

Share

EUVD-2026-26678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy