CVE-2026-10233
Deferred Deferred - Pending Action
HL1MDLLoader Out-of-Bounds Read in Assimp

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: VulDB

Description
A security vulnerability has been detected in Assimp up to 6.0.4. Affected by this issue is the function HL1MDLLoader::read_sequence_infos of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. The manipulation of the argument aiString leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10233
EUVD
EUVD-2026-33566
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a global buffer overflow in the Assimp library's Half-Life 1 MDL file parser, specifically in the function HL1MDLLoader::read_sequence_infos. It occurs when processing malformed MDL files that contain extremely long bone names. The parser reads these bone names into a fixed-size aiString buffer without proper length validation, which allows the buffer to be fully populated and triggers an out-of-bounds read when copying the corrupted aiString. This results in a global buffer overflow and memory corruption.

Impact Analysis

The vulnerability can lead to memory corruption due to an out-of-bounds read caused by a global buffer overflow. Since the attack requires local access and specially crafted MDL files, an attacker with local privileges could exploit this flaw to cause unexpected behavior or crashes in applications using the Assimp library's Half-Life 1 MDL loader. However, the impact is limited as it does not directly lead to code execution or privilege escalation.

Detection Guidance

This vulnerability can be detected by using a specially crafted MDL file that triggers the out-of-bounds read in the HL1MDLLoader::read_sequence_infos() function of the Assimp library. The issue can be demonstrated using the assimp_fuzzer tool, which when run with AddressSanitizer enabled, detects the memory corruption caused by the malformed MDL file.

To detect the vulnerability on your system, you can run the assimp_fuzzer tool with a crafted MDL file and monitor for AddressSanitizer reports indicating memory corruption or out-of-bounds reads.

  • Use AddressSanitizer-enabled build of Assimp and run: ./assimp_fuzzer path/to/malformed_file.mdl
  • Check logs or output for AddressSanitizer errors indicating out-of-bounds reads or buffer overflows.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of untrusted or malformed MDL files with the Assimp library, especially those related to Half-Life 1 model loading.

Since the vulnerability requires local attack and involves processing crafted MDL files, restricting access to the Assimp library or applications using it to trusted users and files can reduce risk.

Additionally, monitor for updates or patches from the Assimp project that address this issue and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart