CVE-2026-29628
Received Received - Intake
Stack Overflow in tinyobjloader's tinyobj_loader_opt.h Causes DoS

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: MITRE

Description
A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29628
EUVD
EUVD-2026-21926
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tinyobjloader tinyobjloader *
tinyobjloader tinyobjloader to d56555b (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-29628 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-29628 is a stack-based buffer overflow vulnerability in the tinyobjloader library, specifically in the experimental version within the function tinyobj_opt::LoadMtl. The issue occurs when an attacker supplies a crafted .mtl file containing an oversized "newmtl" token. This token is read into a fixed-size local buffer named "namebuf" without proper input size checks, causing the buffer to overflow on the stack.

This overflow can lead to a Denial of Service (DoS) condition by corrupting the stack, potentially crashing the application using tinyobjloader.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) attack. An attacker can cause the application using tinyobjloader to crash by providing a specially crafted .mtl file that triggers the stack buffer overflow.

This could disrupt services or applications relying on tinyobjloader for loading material files, potentially leading to downtime or instability.

Detection Guidance

This vulnerability can be detected by reproducing the stack-based buffer overflow condition using a crafted .mtl file that triggers the overflow in the tinyobjloader library's LoadMtl function.

A proof of concept (poc.cpp) is available which can be compiled with AddressSanitizer and UndefinedBehaviorSanitizer enabled to detect the overflow during execution.

  • Compile the proof of concept with the following command to enable sanitizers that detect memory errors:
  • clang++ -std=c++17 -O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer -I./tinyobjloader -I./tinyobjloader/experimental poc.cpp -o poc

Running the compiled poc with a crafted .mtl file will help detect the vulnerability by triggering the stack buffer overflow.

Mitigation Strategies

To mitigate this vulnerability, update the tinyobjloader library to include the fix that limits the input size when reading the newmtl token.

The fix involves modifying the sscanf call in the LoadMtl function to include a maximum field width specifier, preventing buffer overflow by restricting input length.

  • On Microsoft compilers, use the safer sscanf_s function with the buffer size specified.
  • On other compilers, change the sscanf format string from " %s " to " %4095s " to limit input size.

Applying this fix by updating to the patched commit (386b73bb8c1a855236beb73b11f45f7feac4e03a) will prevent the stack buffer overflow and mitigate the Denial of Service risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart