Skip to main content

Assimp EUVD-2026-33522

| CVE-2026-10200 LOW
Heap-based Buffer Overflow (CWE-122)
2026-05-31 VulDB GHSA-x9p9-4cp2-p368
Heap Overflow Buffer Overflow Assimp
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 31, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
May 31, 2026 - 23:22 NVD
5.3 (MEDIUM) 1.9 (LOW)
Analysis Generated
May 31, 2026 - 23:15 vuln.today

DescriptionCVE.org

A vulnerability was found in Assimp up to 6.0.4. This affects the function glTFCommon::CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The project tagged the reported issue as bug.

AnalysisAI

Heap-based buffer overflow in Assimp's glTF 4x4 Matrix Parser (versions up to 6.0.4) can be triggered by a local, low-privileged attacker supplying crafted input to the glTFCommon::CopyValue function in glTFCommon.h, resulting in partial confidentiality, integrity, and availability impact. A public proof-of-concept exploit archive has been published on GitHub, confirmed by the CVSS temporal modifier E:P (proof-of-concept). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege access
Delivery
Craft malformed glTF matrix payload
Exploit
Supply file to Assimp-consuming application
Execution
Trigger CopyValue heap overflow
Persist
Corrupt heap memory
Impact
Achieve partial code execution or crash
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must have local system access with at least low-privilege credentials (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall risk is moderate-low in most production environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with low operating system privileges places or supplies a maliciously crafted glTF file containing an oversized or malformed 4x4 transformation matrix to an application using Assimp for 3D model loading. When the application parses the file, `glTFCommon::CopyValue` writes beyond the allocated heap buffer, corrupting adjacent heap metadata or data. …
Remediation No vendor-released patch has been identified at time of analysis - the CVSS remediation level is RL:X (not defined), and the GitHub issue (#6612 at https://github.com/assimp/assimp/issues/6612) has not been linked to a tagged release fixing the overflow. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33522 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy