PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10199 Assimp CVE debrief

A null pointer dereference vulnerability exists in the Open Asset Import Library (Assimp) through version 6.0.4, specifically within the `glTF2::LazyDict` function in `glTF2Asset.h`. The flaw arises from improper handling of the `operator[]` argument, which can be manipulated to trigger a null pointer dereference. The attack vector is local, requiring low privileges and no user interaction, with a demonstrated availability impact. A public proof-of-concept has been disclosed, and a patch is available. The vulnerability is not listed in CISA KEV and shows no known ransomware campaign use.

Vendor
Assimp
Product
Open Asset Import Library
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-31
Original CVE updated
2026-05-31
Advisory published
2026-05-31
Advisory updated
2026-05-31

Who should care

Organizations using Assimp for glTF2 model processing in local or server-side environments, particularly those with automated 3D asset pipelines that may process untrusted input files. Developers integrating Assimp into applications with local file processing capabilities should prioritize patching to prevent denial-of-service conditions.

Technical summary

The vulnerability resides in the `glTF2::LazyDict` class template within `glTF2Asset.h` of the Assimp library. The `operator[]` implementation fails to properly validate or handle cases where dictionary access results in a null pointer, leading to a null pointer dereference when manipulated with crafted input. This is a local vulnerability requiring low privileges, with no confidentiality or integrity impact but with demonstrated availability impact (denial of service). The CVSS 4.0 score of 1.9 reflects the local attack vector and limited scope. The fix in commit d24b85319bd70c65883a2b96613e07e23fb95981 addresses the improper pointer handling.

Defensive priority

low

Recommended defensive actions

  • Apply the patch commit d24b85319bd70c65883a2b96613e07e23fb95981 to Assimp installations.
  • Upgrade to Assimp version 6.0.5 or later when available, which should incorporate the fix.
  • Restrict local access to Assimp processing environments to trusted users only, given the local attack vector and low privilege requirements.
  • Monitor for anomalous glTF2 file processing attempts in environments where Assimp is used for automated model ingestion.
  • Validate glTF2 input files through schema validation or fuzzing-resistant preprocessing before passing to Assimp parser routines.

Evidence notes

The vulnerability was reported to VulDB (submit/821179) and assigned CVE-2026-10199. The issue was tracked as GitHub issue #6611 and resolved via pull request #6646, with patch commit d24b85319bd70c65883a2b96613e07e23fb95981. A proof-of-concept file was publicly attached to the issue. CVSS 4.0 vector: AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P. Weaknesses identified as CWE-404 (Improper Resource Shutdown or Release) and CWE-476 (NULL Pointer Dereference).

Official resources

public