CVE-2025-11274
BaseFortify
Publication date: 2025-10-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| assimp | assimp | 6.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11274 is a vulnerability in Open Asset Import Library (Assimp) version 6.0.2, specifically in the Q3DImporter::InternReadFile function. The function reads the number of materials (numMats) from an input file without validating it. An attacker can craft a malicious file with an excessively large numMats value, causing the program to attempt to allocate an unreasonably large amount of memory. This leads to an allocation-size-too-big error, triggering process termination and causing a denial of service. The vulnerability requires local access to exploit and has been publicly disclosed with proof-of-concept exploits available. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) on systems using the affected Assimp library version. When processing a maliciously crafted file, the application may crash due to excessive memory allocation attempts, leading to process termination and unavailability of the service or application relying on Assimp. The attack requires local access and is considered easy to exploit. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal termination of the Assimp 6.0.2 application when processing Quick3D files, especially those with crafted material counts. Using fuzz testing with sanitizers like AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) can help identify the issue by triggering allocation-size-too-big errors. There are no specific network detection commands since the attack requires local execution. To detect exploitation attempts, you can monitor application logs for crashes or use debugging tools to trace memory allocation failures during file imports. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of Assimp version 6.0.2 for processing untrusted Quick3D files, as the vulnerability requires local execution and is triggered by malicious input files. Since no known countermeasures or patches are currently available, consider replacing the affected component with an alternative product or updating to a fixed version once released. Additionally, restrict local access to systems running the vulnerable Assimp version to trusted users only to reduce exploitation risk. [2]