CVE-2026-10232
Deferred Deferred - Pending Action
Use After Free in Assimp via ASE File Parser

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10232
EUVD
EUVD-2026-33565
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a heap-use-after-free issue in the Assimp library, specifically in the ASE File Parser component. It occurs in the destructor function aiNode::~aiNode of the file scene.cpp. When parsing a malformed ASE file, an invalid node tree is created, causing a node to be freed prematurely. However, the destructor still tries to access the freed node's members, leading to use of memory that has already been deallocated.

The problem arises because of improper handling of node relationships during ASE file parsing, which causes recursive destruction of nodes to access invalid memory. This vulnerability can be triggered locally by providing a specially crafted ASE file.

Impact Analysis

Exploiting this vulnerability can lead to a program crash or potentially allow an attacker to execute arbitrary code or cause denial of service by manipulating memory. Since it is a use-after-free vulnerability, it may be leveraged to corrupt memory or escalate privileges if combined with other vulnerabilities.

However, the attack must be launched locally, and the overall severity is considered low to medium based on CVSS scores. The exploit requires a specially crafted ASE file to trigger the issue.

Detection Guidance

This vulnerability can be detected by triggering the heap-use-after-free condition during the destruction of aiNode objects when parsing malformed ASE files.

One practical detection method is to use AddressSanitizer to monitor for memory errors such as use-after-free during the execution of Assimp when it processes ASE files.

Additionally, the vulnerability can be triggered and tested by providing a specially crafted ASE file to the assimp_fuzzer tool, which is part of Assimp's fuzzing setup.

  • Run Assimp with AddressSanitizer enabled to detect memory errors.
  • Use the assimp_fuzzer tool with a crafted ASE file to reproduce the vulnerability.
Mitigation Strategies

To mitigate the heap-use-after-free vulnerability in Assimp up to version 6.0.4, avoid processing untrusted or malformed ASE files locally, as the attack requires local execution.

Use fuzzing tools such as assimp_fuzzer to test ASE files before processing them in production environments to detect malformed inputs that could trigger the vulnerability.

Monitor the Assimp project repository or issue tracker for patches or updates addressing this issue and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart