CVE-2026-10198
Heap-based Null Pointer Dereference in Assimp glTFImporter
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| assimp | assimp | to 6.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw found in the Assimp library up to version 6.0.4, specifically in the function Assimp::glTFImporter::ImportMeshes within the glTFImporter.cpp file. The flaw causes a null pointer dereference, which means the program attempts to access memory through a pointer that is null, leading to a crash or unexpected behavior.
The vulnerability can only be exploited locally, meaning an attacker must have local access to the system to trigger it. The issue has been publicly disclosed and an exploit is available.
How can this vulnerability impact me? :
The impact of this vulnerability is limited to causing a null pointer dereference, which can lead to a denial of service by crashing the application using the vulnerable Assimp component.
Since the attack requires local access and the vulnerability does not allow for code execution or data compromise, the overall impact is low.