CVE-2026-10199
Received Received - Intake
Null Pointer Dereference in Assimp glTF2Asset

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-01
AI Q&A
2026-06-01
EPSS Evaluated
N/A
NVD
CVE-2026-10199
EUVD
EUVD-2026-33521
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

The primary impact of this vulnerability is a potential denial of service caused by a null pointer dereference, which can crash the application using the Assimp library. Since the attack requires local access, remote exploitation is not possible.

The vulnerability does not affect confidentiality or integrity, but it can affect availability by causing the affected software to stop functioning properly.


What immediate steps should I take to mitigate this vulnerability?

The best immediate step to mitigate this vulnerability is to apply the patch named d24b85319bd70c65883a2b96613e07e23fb95981.

Since the attack must be carried out locally, limiting local access to trusted users and systems can also help reduce risk.


Can you explain this vulnerability to me?

This vulnerability exists in the Assimp library up to version 6.0.4, specifically in the function glTF2::LazyDict within the glTF2Asset.h file. The issue arises from the manipulation of the argument operator[], which leads to a null pointer dereference. This means that when the function tries to access or manipulate data through a pointer that is null, it can cause the program to crash or behave unexpectedly.

The attack exploiting this vulnerability must be carried out locally, meaning an attacker needs local access to the system to trigger the issue. The vulnerability has been publicly disclosed, and a patch is available to fix it.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart