PatchSiren cyber security CVE debrief
CVE-2026-10229 Assimp CVE debrief
A heap-based buffer overflow vulnerability exists in the Open Asset Import Library (Assimp) through version 6.0.4, specifically within the Half-Life 1 MDL Loader component. The flaw resides in the `HL1MDLLoader::read_meshes` function in `HL1MDLLoader.cpp`. The vulnerability requires local access and low privileges to exploit, with no user interaction needed. A proof-of-concept has been publicly disclosed, increasing the risk of attempted exploitation. The Assimp project has acknowledged the issue as a bug. The CVSS 4.0 vector indicates local attack vector, low attack complexity, and low impacts to confidentiality, integrity, and availability.
- Vendor
- Assimp
- Product
- Open Asset Import Library
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using Assimp to process untrusted Half-Life 1 MDL files in local applications; developers integrating Assimp into 3D asset pipelines; security teams monitoring for local privilege escalation vectors in graphics processing libraries
Technical summary
The vulnerability is a heap-based buffer overflow in `HL1MDLLoader::read_meshes` within `HL1MDLLoader.cpp` of the Assimp library (≤6.0.4). The Half-Life 1 MDL Loader component fails to properly validate buffer boundaries when processing mesh data from MDL files. Exploitation requires local execution with low privileges and no user interaction. Public proof-of-concept availability increases exploitability risk despite the local attack vector constraint. The Assimp project has classified the reported issue as a bug.
Defensive priority
low
Recommended defensive actions
- Upgrade Assimp to a version newer than 6.0.4 when a patched release becomes available; monitor the Assimp GitHub repository for security updates
- Restrict execution of untrusted Half-Life 1 MDL files to isolated, non-production environments
- Apply principle of least privilege for local user accounts that process 3D model files through Assimp
- Monitor for anomalous crashes in applications using Assimp's HL1 MDL loader, which may indicate exploitation attempts
- Review and validate MDL file inputs before processing through Assimp in security-sensitive applications
Evidence notes
The vulnerability description is sourced from the NVD record with CNA attribution to Vuldb. The affected function `HL1MDLLoader::read_meshes` and file `HL1MDLLoader.cpp` are explicitly named. CVSS 4.0 score of 1.9 with LOW severity is derived from the vector: AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/E:P. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow) are identified as weakness classifications. The vendor attribution to Assimp is based on GitHub repository references and issue #6614.
Official resources
Public disclosure occurred on 2026-06-01 with publication of the CVE record and availability of a proof-of-concept attachment. The issue was reported to VulDB and assigned identifier 821189. The Assimp project has tagged this as a bug via a