CVE-2026-10201
Received Received - Intake
Divide by Zero in Assimp UV Channel Handler

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10201
EUVD
EUVD-2026-33523
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Assimp library's FBXExporter::WriteObjects() function, specifically in the handling of UV channels. When processing UV channels that have zero components, the code performs a division by the number of UV components without checking if this number is zero. This leads to a divide-by-zero error causing a floating-point exception crash.

The issue occurs because the function divides by 'nc' (the number of UV components) without validating that 'nc' is non-zero. If a UV channel exists but has zero components, this triggers the vulnerability.

The vulnerability was discovered through fuzzing and can be triggered by processing specially crafted malformed input files.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause the affected program to crash due to a floating-point exception triggered by a divide-by-zero error.

An attacker could exploit this by providing a specially crafted file that triggers the vulnerability, leading to a denial-of-service condition where the program terminates unexpectedly.

There is also a potential risk that, under certain conditions, arbitrary code execution could be possible if an attacker tricks a user into processing a malicious file, although the primary impact is denial of service.

Detection Guidance

This vulnerability can be detected by testing the Assimp library's handling of FBX files with malformed UV channel data that have zero components. Specifically, fuzzing or processing specially crafted FBX files that trigger a division by zero in the FBXExporter::WriteObjects function can reveal the issue.

There are no direct network detection commands since the attack must be launched locally by processing a crafted file.

To detect the vulnerability on your system, you can attempt to process a known proof-of-concept malformed FBX file that triggers the floating-point exception crash.

  • Run the vulnerable Assimp version with a crafted FBX file and observe if it crashes with a floating-point exception.
  • Use fuzzing tools targeting the FBXImporter/Exporter components to identify crashes related to division by zero.
Mitigation Strategies

The immediate mitigation step is to apply the patch provided by the Assimp project that adds validation to ensure the number of UV components ('nc') is non-zero before performing division.

Until the patch is applied, avoid processing untrusted or malformed FBX files that could trigger the vulnerability.

Since the attack requires local execution, restrict access to systems running vulnerable versions of Assimp and monitor for abnormal crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart