CVE-2026-10200
Deferred Deferred - Pending Action
Heap-based Buffer Overflow in Assimp 4x4 Matrix Parser

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A vulnerability was found in Assimp up to 6.0.4. This affects the function glTFCommon::CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The project tagged the reported issue as bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10200
EUVD
EUVD-2026-33522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the Assimp library up to version 6.0.4, specifically in the function glTFCommon::CopyValue within the glTFCommon.h component that handles 4x4 Matrix Parsing.

The issue is a heap-based buffer overflow caused by improper handling or manipulation of data in this function.

An attacker must have local access to initiate the exploit, and the exploit code has been made publicly available.

The project has classified this issue as a bug.

Impact Analysis

This vulnerability can lead to a heap-based buffer overflow, which may allow an attacker with local access to corrupt memory.

Such memory corruption could potentially be exploited to cause a crash, execute arbitrary code, or escalate privileges depending on the environment and usage.

However, the CVSS scores indicate a relatively low to moderate severity, with the highest being 5.3 (medium severity) in version 3.1.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal behavior in applications using the Assimp library when parsing glTF2 files, especially those containing node transformation matrices.

Fuzzing tools targeting the glTF2 importer, specifically the glTFCommon::CopyValue function, can be used to detect this heap-buffer-overflow by feeding malformed or corrupted glTF files.

There are no specific network commands to detect this vulnerability since the attack must be initiated locally and involves malformed file parsing.

Suggested commands include running the vulnerable application under a debugger or memory error detector such as AddressSanitizer to catch heap-buffer-overflow errors when loading suspicious glTF files.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of untrusted or malformed glTF files with applications using the Assimp library up to version 6.0.4.

Update the Assimp library to a version where this vulnerability is fixed once available.

Use runtime protections such as memory error detection tools (e.g., AddressSanitizer) during development and testing to identify and prevent exploitation.

Restrict local user permissions to limit the ability to execute malicious files that could trigger this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart