CVE-2025-11274
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11274
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp 6.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11274 is a vulnerability in Open Asset Import Library (Assimp) version 6.0.2, specifically in the Q3DImporter::InternReadFile function. The function reads the number of materials (numMats) from an input file without validating it. An attacker can craft a malicious file with an excessively large numMats value, causing the program to attempt to allocate an unreasonably large amount of memory. This leads to an allocation-size-too-big error, triggering process termination and causing a denial of service. The vulnerability requires local access to exploit and has been publicly disclosed with proof-of-concept exploits available. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) on systems using the affected Assimp library version. When processing a maliciously crafted file, the application may crash due to excessive memory allocation attempts, leading to process termination and unavailability of the service or application relying on Assimp. The attack requires local access and is considered easy to exploit. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal termination of the Assimp 6.0.2 application when processing Quick3D files, especially those with crafted material counts. Using fuzz testing with sanitizers like AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) can help identify the issue by triggering allocation-size-too-big errors. There are no specific network detection commands since the attack requires local execution. To detect exploitation attempts, you can monitor application logs for crashes or use debugging tools to trace memory allocation failures during file imports. [3, 1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Assimp version 6.0.2 for processing untrusted Quick3D files, as the vulnerability requires local execution and is triggered by malicious input files. Since no known countermeasures or patches are currently available, consider replacing the affected component with an alternative product or updating to a fixed version once released. Additionally, restrict local access to systems running the vulnerable Assimp version to trusted users only to reduce exploitation risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart