Executive Summary

CVE-2026-32845 is an integer overflow vulnerability in the cgltf library version 1.15 and earlier, specifically in the cgltf_validate() function during sparse accessor validation.

The vulnerability occurs because the function performs unchecked arithmetic operations on size values related to sparse accessors. When processing crafted glTF or GLB files with attacker-controlled large size values, the multiplication of component size and count can overflow, causing the calculated required buffer size to be smaller than it actually is.

This incorrect size calculation allows the validation to accept undersized buffers, leading to out-of-bounds heap buffer reads in the cgltf_calc_index_bound() function. This results in a heap buffer overflow, causing memory safety violations.

The practical effect is that an attacker can supply maliciously crafted files that trigger this overflow, causing the application to crash or potentially disclose memory contents.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on applications using the vulnerable cgltf library.'}, {'type': 'paragraph', 'content': 'Specifically, by supplying specially crafted glTF or GLB files, an attacker can trigger out-of-bounds reads leading to heap buffer overflows, which cause the application to crash.'}, {'type': 'paragraph', 'content': "Additionally, there is a potential risk of memory disclosure due to these out-of-bounds reads, which could expose sensitive information from the application's memory."}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing the behavior of the cgltf_validate() function when processing glTF or GLB files, especially those containing sparse accessors with large or crafted size values that may cause integer overflow.

One practical detection method is to run cgltf_validate() on suspect .gltf or .glb files and observe if the process crashes or triggers memory safety violations such as segmentation faults or AddressSanitizer (ASan) errors.

Using AddressSanitizer or similar memory error detection tools during validation can help identify out-of-bounds reads caused by this vulnerability.

Suggested commands include:

• Run cgltf_validate() on input files and monitor for crashes or ASan reports.
• Use AddressSanitizer with the cgltf_validate() binary to detect heap buffer overflows: compile with -fsanitize=address and run validation.
• Manually inspect or fuzz test glTF/GLB files with large sparse accessor counts to trigger the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of cgltf version 1.15 or earlier until a patched version is available.

If updating is not immediately possible, do not process untrusted or maliciously crafted glTF/GLB files that may contain sparse accessors with large count values.

Apply the suggested code fix by replacing unchecked multiplication with division-based bounds checking in the cgltf_validate() function to prevent integer overflow during sparse accessor validation.

• Implement bounds checks that verify sparse->count does not exceed the maximum allowed based on buffer sizes and component sizes.
• Audit other size computations in cgltf_validate() for similar unchecked arithmetic operations.

Additionally, use memory safety tools such as AddressSanitizer during development and testing to catch potential overflows early.

Useful 0 Not Useful 0