CVE-2026-14610
Received Received - Intake

Heap-based Buffer Overflow in Open Asset Import Library Assimp

Vulnerability report for CVE-2026-14610, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: VulDB

Description

A flaw has been found in Open Asset Import Library Assimp up to 6.0.5. Impacted is the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. Patch name: eb84eec580d3f4ba2f0fd87409b7d0744620f11e. Applying a patch is the recommended action to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
assimp open_asset_import_library to 6.0.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in the Open Asset Import Library (Assimp) up to version 6.0.5, specifically in the function Assimp::CSMImporter::InternReadFile within the CSM File Handler component. It causes a heap-based buffer overflow, which means that the program writes more data to a buffer located in the heap than it can hold, potentially leading to memory corruption.

The attack exploiting this vulnerability is limited to local execution, meaning an attacker must have local access to the system to exploit it. A patch has been published to fix this issue, and applying it is recommended.

Impact Analysis

This vulnerability can lead to a heap-based buffer overflow, which may allow an attacker with local access to cause memory corruption. This can result in unexpected behavior such as application crashes, data corruption, or potentially allow the attacker to execute arbitrary code with the privileges of the affected application.

Since the attack requires local execution and privileges, remote exploitation is not possible. However, if exploited, it could compromise the integrity, confidentiality, and availability of the system or data handled by the vulnerable component.

Mitigation Strategies

The recommended action to fix this issue is to apply the patch named eb84eec580d3f4ba2f0fd87409b7d0744620f11e.

Since the attack is restricted to local execution, ensuring that only trusted users have local access can help mitigate risk until the patch is applied.

Detection Guidance

This vulnerability is a heap-based buffer overflow in the Assimp library's CSM File Handler component, specifically in the function Assimp::CSMImporter::InternReadFile. It is exploitable only via local execution.

Detection would typically involve checking the version of the Assimp library installed on your system to see if it is up to version 6.0.5 or earlier, which are vulnerable.

Since the vulnerability is local and related to a specific function in the library, network detection is not applicable.

A practical command to detect the vulnerable version on a Linux system might be:

  • dpkg -l | grep assimp

Or if installed from source or other package managers, you can check the version by running:

  • assimp version

If the version is 6.0.5 or earlier, the system is vulnerable and should be patched.

Applying the patch named eb84eec580d3f4ba2f0fd87409b7d0744620f11e is recommended to fix the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14610. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart