Source: assimp Version: 6.0.5+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for assimp. This is a huge batch of recently assigned CVEs for assimp, making hard to tackle the things properly. Please help to asses the individual ones, but we have already marked them either postponed or no-dsa, depending if we are yet waiting for an upstream fix. Can you approach upstream? CVE-2025-70067[0]: | Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 | in the FBX Importer. The vulnerability occurs in | aiMaterial::AddBinaryProperty, where a property key string from a | crafted FBX file is copied into a fixed-size heap buffer using | strcpy() without runtime length validation CVE-2025-70069[1]: | An issue in Assimp v.6.0.2 allows a remote attacker to cause a | denial of service via the FBXConverter.cpp and | ConvertMeshMultiMaterial() method CVE-2025-70070[2]: | An issue in Assimp v.6.0.2 allows a remote attacker to cause a | denial of service via the FBXMeshGeometry.cpp, | MeshGeometry::MeshGeometry() CVE-2025-70071[3]: | An issue in Assimp v.6.0.2 allows a remote attacker to cause a | denial of service via the FBXParser.cpp, ParseVectorDataArray() CVE-2025-70072[4]: | An issue in Assimp v.6.0.2 allows a remote attacker to cause a | denial of service via the FBXConverter.cpp, | FBXConverter::ConvertMeshMultiMaterial() components CVE-2026-10197[5]: | A vulnerability was detected in Assimp up to 6.0.4. Affected is the | function glTF2Importer::ImportEmbeddedTextures in the library | code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File | Handler. The manipulation results in null pointer dereference. The | attack is only possible with local access. The exploit is now public | and may be used. It is advisable to implement a patch to correct | this issue. The pull request to fix this issue awaits acceptance. CVE-2026-10198[6]: | A flaw has been found in Assimp up to 6.0.4. Affected by this | vulnerability is the function Assimp::glTFImporter::ImportMeshes of | the file glTFImporter.cpp of the component glTFImporter. This | manipulation causes null pointer dereference. The attack is | restricted to local execution. The exploit has been published and | may be used. The project tagged the reported issue as bug. CVE-2026-10199[7]: | A vulnerability has been found in Assimp up to 6.0.4. Affected by | this issue is the function glTF2::LazyDict in the library | glTF2Asset.h. Such manipulation of the argument operator[] leads to | null pointer dereference. The attack must be carried out locally. | The exploit has been disclosed to the public and may be used. The | name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is | best practice to apply a patch to resolve this issue. CVE-2026-10200[8]: | A vulnerability was found in Assimp up to 6.0.4. This affects the | function glTFCommon::CopyValue in the library glTFCommon.h of the | component 4x4 Matrix Parser. Performing a manipulation results in | heap-based buffer overflow. The attack must be initiated from a | local position. The exploit has been made public and could be used. | The project tagged the reported issue as bug. CVE-2026-10201[9]: | A vulnerability was determined in Assimp up to 6.0.4. This | vulnerability affects the function FBXExporter::WriteObjects of the | file FBXExporter.cpp of the component UV Channel Handler. Executing | a manipulation can lead to divide by zero. The attack needs to be | launched locally. The exploit has been publicly disclosed and may be | utilized. Applying a patch is advised to resolve this issue. The | project tagged the reported issue as bug. CVE-2026-10229[10]: | A vulnerability was determined in Assimp up to 6.0.4. This affects | the function HL1MDLLoader::read_meshes of the file HL1MDLLoader.cpp | of the component Half-Life 1 MDL Loader. This manipulation causes | heap-based buffer overflow. The attack is restricted to local | execution. The exploit has been publicly disclosed and may be | utilized. The project tagged the reported issue as bug. CVE-2026-10230[11]: | A vulnerability was identified in Assimp up to 6.0.4. This impacts | the function Assimp::MDL::HalfLife::HL1MDLLoader::read_animations of | the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. | Such manipulation leads to heap-based buffer overflow. The attack | must be carried out locally. The exploit is publicly available and | might be used. The project tagged the reported issue as bug. CVE-2026-10231[12]: | A security flaw has been discovered in Assimp up to 6.0.4. Affected | is the function HL1MDLLoader::extract_anim_value of the file | HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Performing | a manipulation of the argument num.total results in heap-based | buffer overflow. The attack must be initiated from a local position. | The exploit has been released to the public and may be used for | attacks. The project tagged the reported issue as bug. CVE-2026-10232[13]: | A weakness has been identified in Assimp up to 6.0.4. Affected by | this vulnerability is the function aiNode::~aiNode of the file | scene.cpp of the component ASE File Parser. Executing a manipulation | can lead to use after free. The attack needs to be launched locally. | The exploit has been made available to the public and could be used | for attacks. The project tagged the reported issue as bug. CVE-2026-10233[14]: | A security vulnerability has been detected in Assimp up to 6.0.4. | Affected by this issue is the function | HL1MDLLoader::read_sequence_infos of the file HL1MDLLoader.cpp of | the component Half-Life 1 MDL Loader. The manipulation of the | argument aiString leads to out-of-bounds read. The attack needs to | be performed locally. The exploit has been disclosed publicly and | may be used. The project tagged the reported issue as bug. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-70067 https://www.cve.org/CVERecord?id=CVE-2025-70067 [1] https://security-tracker.debian.org/tracker/CVE-2025-70069 https://www.cve.org/CVERecord?id=CVE-2025-70069 [2] https://security-tracker.debian.org/tracker/CVE-2025-70070 https://www.cve.org/CVERecord?id=CVE-2025-70070 [3] https://security-tracker.debian.org/tracker/CVE-2025-70071 https://www.cve.org/CVERecord?id=CVE-2025-70071 [4] https://security-tracker.debian.org/tracker/CVE-2025-70072 https://www.cve.org/CVERecord?id=CVE-2025-70072 [5] https://security-tracker.debian.org/tracker/CVE-2026-10197 https://www.cve.org/CVERecord?id=CVE-2026-10197 [6] https://security-tracker.debian.org/tracker/CVE-2026-10198 https://www.cve.org/CVERecord?id=CVE-2026-10198 [7] https://security-tracker.debian.org/tracker/CVE-2026-10199 https://www.cve.org/CVERecord?id=CVE-2026-10199 [8] https://security-tracker.debian.org/tracker/CVE-2026-10200 https://www.cve.org/CVERecord?id=CVE-2026-10200 [9] https://security-tracker.debian.org/tracker/CVE-2026-10201 https://www.cve.org/CVERecord?id=CVE-2026-10201 [10] https://security-tracker.debian.org/tracker/CVE-2026-10229 https://www.cve.org/CVERecord?id=CVE-2026-10229 [11] https://security-tracker.debian.org/tracker/CVE-2026-10230 https://www.cve.org/CVERecord?id=CVE-2026-10230 [12] https://security-tracker.debian.org/tracker/CVE-2026-10231 https://www.cve.org/CVERecord?id=CVE-2026-10231 [13] https://security-tracker.debian.org/tracker/CVE-2026-10232 https://www.cve.org/CVERecord?id=CVE-2026-10232 [14] https://security-tracker.debian.org/tracker/CVE-2026-10233 https://www.cve.org/CVERecord?id=CVE-2026-10233 Regards, Salvatore
