PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10232 Assimp CVE debrief

A use-after-free vulnerability exists in the Open Asset Import Library (Assimp) through version 6.0.4, specifically within the `aiNode::~aiNode` destructor in `scene.cpp` during ASE file parsing. The vulnerability requires local access and has a LOW severity CVSS score of 1.9. A public proof-of-concept exploit has been released. The project maintainers have tagged the reported issue as a bug.

Vendor
Assimp
Product
Assimp (Open Asset Import Library)
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations using Assimp for ASE file processing in desktop applications, game engines, or 3D content pipelines where untrusted ASE files may be loaded; security teams monitoring for memory corruption vulnerabilities in media processing libraries.

Technical summary

The vulnerability is a use-after-free condition in the `aiNode::~aiNode` destructor within `scene.cpp` of the Assimp library, triggered during parsing of ASE (3D Studio Max ASCII Scene Export) files. Affected versions are up to and including 6.0.4. The attack requires local access with low privileges and no user interaction. The CVSS:4.0 score of 1.9 reflects limited confidentiality, integrity, and availability impacts under local attack conditions. A public exploit has been released, increasing the practical risk despite the low base score. The underlying weaknesses are CWE-119 and CWE-416.

Defensive priority

low

Recommended defensive actions

  • Upgrade Assimp to a version newer than 6.0.4 when available; monitor the Assimp GitHub repository for patches addressing issue #6617
  • Restrict untrusted user access to systems processing ASE files with Assimp
  • Validate and sanitize ASE input files before processing through Assimp
  • Monitor for anomalous crashes in applications using Assimp for ASE file import, as these may indicate exploitation attempts
  • Apply principle of least privilege to processes handling 3D asset imports via Assimp

Evidence notes

The vulnerability is located in the ASE File Parser component of Assimp, specifically the `aiNode::~aiNode` destructor in `scene.cpp`. The CVSS:4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), and no user interaction (UI:N). The exploitability metric (E:P) confirms a public proof-of-concept exists. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-416 (Use After Free) are identified as the underlying weaknesses. The vulnerability status in NVD is 'Received' as of the published date.

Official resources

public