CVE-2026-42478
Denial of Service in Open CASCADE Technology VRML Parser
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencascade | open_cascade_technology | to 7.9.3 (inc) |
| opencascade | open_cascade_technology | 8.0.0 |
| opencascade | open_cascade_technology | 8.0.0 |
| opencascade | open_cascade_technology | 8.0.0 |
| opencascade | open_cascade_technology | 8.0.0 |
| opencascade | open_cascade_technology | 8.0.0 |
| opencascade | open_cascade_technology | 8.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-42478 causes a denial of service (DoS) via a crafted VRML file due to pointer dereference issues in Open CASCADE Technology. It does not involve unauthorized access to data, data leakage, or modification of information.
Since the impact is limited to availability (denial of service) and does not affect confidentiality or integrity of data, the vulnerability's direct effect on compliance with data protection regulations such as GDPR or HIPAA is minimal or indirect.
However, denial of service incidents can still have compliance implications if they disrupt critical systems or services that handle personal or protected health information, potentially affecting availability requirements under these regulations.
Can you explain this vulnerability to me?
This vulnerability exists in the VRML V2.0 parser component of Open CASCADE Technology (OCCT) version V8_0_0_rc5. Specifically, it is caused by the VrmlData_IndexedFaceSet::TShape function, which processes VRML files. An attacker can craft a malicious VRML file that triggers the parser to dereference a corrupt or unvalidated pointer during the construction of shapes in the library libTKDEVRML.so. This leads to a denial of service condition.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS). An attacker can exploit this flaw by providing a specially crafted VRML file to the affected software, causing it to crash or become unresponsive. This can disrupt normal operations and availability of applications relying on the vulnerable VRML parser.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability in Open CASCADE Technology (OCCT) V8_0_0_rc5 is triggered by processing a crafted VRML file that causes a denial of service due to dereferencing a corrupt or unvalidated pointer during shape construction.
Detection involves identifying attempts to parse malformed VRML files with the vulnerable VRML V2.0 parser component (VrmlData_IndexedFaceSet::TShape) in libTKDEVRML.so.
Since the vulnerability is local and requires low privileges, monitoring application logs for crashes or denial of service symptoms when processing VRML files is recommended.
No specific detection commands or network signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the processing of untrusted or malformed VRML files with the vulnerable OCCT version.
Applying updates or patches from the Open CASCADE Technology project that address this vulnerability is recommended once available.
If patching is not immediately possible, consider restricting access to the vulnerable VRML parsing functionality or running it in a restricted environment to limit potential denial of service impact.