PatchSiren cyber security CVE debrief
CVE-2026-10233 Assimp CVE debrief
A low-severity out-of-bounds read vulnerability exists in the Open Asset Import Library (Assimp) through version 6.0.4. The flaw resides in the HL1MDLLoader::read_sequence_infos function within HL1MDLLoader.cpp, which handles Half-Life 1 MDL model loading. Manipulation of an aiString argument can trigger an out-of-bounds read condition. The attack vector requires local access with low privileges and no user interaction. A public proof-of-concept has been released, though the project has categorized the reported issue as a bug rather than a security vulnerability. The CVSS 4.0 score of 1.9 reflects limited confidentiality impact with no integrity or availability impact.
- Vendor
- Assimp
- Product
- Open Asset Import Library
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using Assimp to process untrusted Half-Life 1 MDL model files in multi-user environments; developers integrating Assimp into applications with local file processing capabilities.
Technical summary
The vulnerability exists in HL1MDLLoader::read_sequence_infos() in HL1MDLLoader.cpp. An aiString manipulation causes an out-of-bounds read during Half-Life 1 MDL model sequence info parsing. Attack requires local access. CVSS 4.0: 1.9 (Low). Public exploit available.
Defensive priority
low
Recommended defensive actions
- Upgrade to a fixed version of Assimp when available; monitor the Assimp GitHub repository and issue #6619 for patch releases
- Restrict untrusted user access to systems processing 3D model files through Assimp
- Implement input validation and sandboxing for Half-Life 1 MDL file processing workflows
- Review application logs for anomalous crashes in HL1MDLLoader components that may indicate exploitation attempts
- Subscribe to Assimp security advisories and the NVD entry for this CVE to receive notification of official patches
Evidence notes
The vulnerability is documented in the NVD entry with Vuldb as the assigning CNA. The source references include the Assimp GitHub repository, issue #6619, and an attached proof-of-concept file. Weaknesses are classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). The CVSS 4.0 vector confirms local attack vector, low attack complexity, low privileges required, and no user interaction.
Official resources
Public disclosure occurred on 2026-06-01 with concurrent release of a proof-of-concept. The Assimp project has tagged this issue as a bug in their issue tracker.