CVE-2026-32845
Integer Overflow in cgltf Causes Heap Buffer Over-Reads
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cgltf | cgltf | to 1.15 (exc) |
| jkuhlmann | cgltf | to 1.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32845 is an integer overflow vulnerability in the cgltf library version 1.15 and earlier, specifically in the cgltf_validate() function during sparse accessor validation.
The vulnerability occurs because the function performs unchecked arithmetic operations on size values related to sparse accessors. When processing crafted glTF or GLB files with attacker-controlled large size values, the multiplication of component size and count can overflow, causing the calculated required buffer size to be smaller than it actually is.
This incorrect size calculation allows the validation to accept undersized buffers, leading to out-of-bounds heap buffer reads in the cgltf_calc_index_bound() function. This results in a heap buffer overflow, causing memory safety violations.
The practical effect is that an attacker can supply maliciously crafted files that trigger this overflow, causing the application to crash or potentially disclose memory contents.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on applications using the vulnerable cgltf library.'}, {'type': 'paragraph', 'content': 'Specifically, by supplying specially crafted glTF or GLB files, an attacker can trigger out-of-bounds reads leading to heap buffer overflows, which cause the application to crash.'}, {'type': 'paragraph', 'content': "Additionally, there is a potential risk of memory disclosure due to these out-of-bounds reads, which could expose sensitive information from the application's memory."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the behavior of the cgltf_validate() function when processing glTF or GLB files, especially those containing sparse accessors with large or crafted size values that may cause integer overflow.
One practical detection method is to run cgltf_validate() on suspect .gltf or .glb files and observe if the process crashes or triggers memory safety violations such as segmentation faults or AddressSanitizer (ASan) errors.
Using AddressSanitizer or similar memory error detection tools during validation can help identify out-of-bounds reads caused by this vulnerability.
Suggested commands include:
- Run cgltf_validate() on input files and monitor for crashes or ASan reports.
- Use AddressSanitizer with the cgltf_validate() binary to detect heap buffer overflows: compile with -fsanitize=address and run validation.
- Manually inspect or fuzz test glTF/GLB files with large sparse accessor counts to trigger the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of cgltf version 1.15 or earlier until a patched version is available.
If updating is not immediately possible, do not process untrusted or maliciously crafted glTF/GLB files that may contain sparse accessors with large count values.
Apply the suggested code fix by replacing unchecked multiplication with division-based bounds checking in the cgltf_validate() function to prevent integer overflow during sparse accessor validation.
- Implement bounds checks that verify sparse->count does not exceed the maximum allowed based on buffer sizes and component sizes.
- Audit other size computations in cgltf_validate() for similar unchecked arithmetic operations.
Additionally, use memory safety tools such as AddressSanitizer during development and testing to catch potential overflows early.