CVE-2026-10233
HL1MDLLoader Out-of-Bounds Read in Assimp
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| assimp | assimp | to 6.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a global buffer overflow in the Assimp library's Half-Life 1 MDL file parser, specifically in the function HL1MDLLoader::read_sequence_infos. It occurs when processing malformed MDL files that contain extremely long bone names. The parser reads these bone names into a fixed-size aiString buffer without proper length validation, which allows the buffer to be fully populated and triggers an out-of-bounds read when copying the corrupted aiString. This results in a global buffer overflow and memory corruption.
How can this vulnerability impact me? :
The vulnerability can lead to memory corruption due to an out-of-bounds read caused by a global buffer overflow. Since the attack requires local access and specially crafted MDL files, an attacker with local privileges could exploit this flaw to cause unexpected behavior or crashes in applications using the Assimp library's Half-Life 1 MDL loader. However, the impact is limited as it does not directly lead to code execution or privilege escalation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using a specially crafted MDL file that triggers the out-of-bounds read in the HL1MDLLoader::read_sequence_infos() function of the Assimp library. The issue can be demonstrated using the assimp_fuzzer tool, which when run with AddressSanitizer enabled, detects the memory corruption caused by the malformed MDL file.
To detect the vulnerability on your system, you can run the assimp_fuzzer tool with a crafted MDL file and monitor for AddressSanitizer reports indicating memory corruption or out-of-bounds reads.
- Use AddressSanitizer-enabled build of Assimp and run: ./assimp_fuzzer path/to/malformed_file.mdl
- Check logs or output for AddressSanitizer errors indicating out-of-bounds reads or buffer overflows.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of untrusted or malformed MDL files with the Assimp library, especially those related to Half-Life 1 model loading.
Since the vulnerability requires local attack and involves processing crafted MDL files, restricting access to the Assimp library or applications using it to trusted users and files can reduce risk.
Additionally, monitor for updates or patches from the Assimp project that address this issue and apply them as soon as they become available.