CVE-2026-10197
Deferred Deferred - Pending Action
Null Pointer Dereference in Assimp TF File Handler

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-19
NVD
CVE-2026-10197
EUVD
EUVD-2026-33519
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Assimp library up to version 6.0.4, specifically in the function glTF2Importer::ImportEmbeddedTextures within the TF File Handler component. It causes a null pointer dereference, which means the program attempts to access or manipulate memory through a pointer that is not properly initialized or is null.

The vulnerability can only be exploited by an attacker with local access to the system. The exploit code is publicly available, making it easier for attackers to use this vulnerability. A patch has been developed but is awaiting acceptance.

Impact Analysis

The impact of this vulnerability is limited due to its low severity score and the requirement for local access to exploit it.

Successful exploitation results in a null pointer dereference, which typically causes the affected application to crash or behave unexpectedly. This can lead to denial of service but does not directly compromise data confidentiality or integrity.

Mitigation Strategies

The vulnerability is exploitable only with local access and results in a null pointer dereference in the Assimp library up to version 6.0.4.

It is advisable to implement a patch to correct this issue as soon as it becomes available.

Compliance Impact

The provided information does not include any details about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability affects the Assimp library up to version 6.0.4, specifically the function glTF2Importer::ImportEmbeddedTextures. Detection requires verifying the presence and version of the Assimp library on your system.

Since the attack requires local access and involves a null pointer dereference in a specific function, detection on a network level is unlikely. Instead, you should check the installed Assimp version and whether it is vulnerable.

  • Check the installed Assimp version using a package manager or by inspecting the library files.
  • For example, on Linux systems using dpkg: `dpkg -l | grep assimp`
  • Or using rpm: `rpm -qa | grep assimp`
  • If Assimp is built from source, check the version in the source directory or binary metadata.

Currently, there are no specific detection commands or signatures for this vulnerability, and the exploit requires local access. Applying the patch or updating to a fixed version when available is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart