Skip to main content

Assimp EUVD-2026-33520

| CVE-2026-10198 LOW
NULL Pointer Dereference (CWE-476)
2026-05-31 VulDB GHSA-7m2c-m24q-64cc
Null Pointer Dereference Denial Of Service Assimp
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 31, 2026 - 23:22 NVD
3.3 (LOW) 1.9 (LOW)
Analysis Generated
May 31, 2026 - 23:15 vuln.today

DescriptionCVE.org

A flaw has been found in Assimp up to 6.0.4. Affected by this vulnerability is the function Assimp::glTFImporter::ImportMeshes of the file glTFImporter.cpp of the component glTFImporter. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been published and may be used. The project tagged the reported issue as bug.

AnalysisAI

Null pointer dereference in Assimp's glTF mesh importer (versions up to and including 6.0.4) allows a locally authenticated attacker with low privileges to crash any application that uses the library to process a crafted 3D model file. The flaw resides specifically in the Assimp::glTFImporter::ImportMeshes function within glTFImporter.cpp, meaning only applications that invoke the glTF import pipeline are exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege access
Delivery
Craft malformed glTF mesh file
Exploit
Supply file to Assimp-consuming application
Execution
Trigger null dereference in ImportMeshes
Impact
Application process crashes (DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Local execution is required - the attack vector is AV:L, meaning the attacker must have the ability to execute code or supply files on the host system. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard (low-privilege) account access supplies a specially crafted .gltf file to an application that uses Assimp ≤6.0.4 for 3D model loading - for example, a content creation tool, game engine editor, or model viewer. When the application attempts to import the file, the call to Assimp::glTFImporter::ImportMeshes dereferences a null pointer, immediately crashing the host process. …
Remediation No vendor-released patched version has been identified at time of analysis - the Assimp project tagged GitHub issue #6609 as a bug, and no fix commit or tagged release resolving this null dereference has been confirmed from available references. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33520 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy