CVE-2026-29628
Stack Overflow in tinyobjloader's tinyobj_loader_opt.h Causes DoS
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tinyobjloader | tinyobjloader | * |
| tinyobjloader | tinyobjloader | to d56555b (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-29628 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-29628 is a stack-based buffer overflow vulnerability in the tinyobjloader library, specifically in the experimental version within the function tinyobj_opt::LoadMtl. The issue occurs when an attacker supplies a crafted .mtl file containing an oversized "newmtl" token. This token is read into a fixed-size local buffer named "namebuf" without proper input size checks, causing the buffer to overflow on the stack.
This overflow can lead to a Denial of Service (DoS) condition by corrupting the stack, potentially crashing the application using tinyobjloader.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a Denial of Service (DoS) attack. An attacker can cause the application using tinyobjloader to crash by providing a specially crafted .mtl file that triggers the stack buffer overflow.
This could disrupt services or applications relying on tinyobjloader for loading material files, potentially leading to downtime or instability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the stack-based buffer overflow condition using a crafted .mtl file that triggers the overflow in the tinyobjloader library's LoadMtl function.
A proof of concept (poc.cpp) is available which can be compiled with AddressSanitizer and UndefinedBehaviorSanitizer enabled to detect the overflow during execution.
- Compile the proof of concept with the following command to enable sanitizers that detect memory errors:
- clang++ -std=c++17 -O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer -I./tinyobjloader -I./tinyobjloader/experimental poc.cpp -o poc
Running the compiled poc with a crafted .mtl file will help detect the vulnerability by triggering the stack buffer overflow.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the tinyobjloader library to include the fix that limits the input size when reading the newmtl token.
The fix involves modifying the sscanf call in the LoadMtl function to include a maximum field width specifier, preventing buffer overflow by restricting input length.
- On Microsoft compilers, use the safer sscanf_s function with the buffer size specified.
- On other compilers, change the sscanf format string from " %s " to " %4095s " to limit input size.
Applying this fix by updating to the patched commit (386b73bb8c1a855236beb73b11f45f7feac4e03a) will prevent the stack buffer overflow and mitigate the Denial of Service risk.