CVE-2026-10230 Open Asset Import Library CVE debrief

Who should care

Organizations and developers using Assimp to process Half-Life 1 MDL files in local workflows, particularly in multi-user environments where untrusted users may supply model files. Game engine developers, 3D asset pipeline maintainers, and security teams monitoring open-source 3D library dependencies should prioritize patching when available.

Technical summary

The vulnerability is a heap-based buffer overflow (CWE-119/CWE-122) in the `read_animations` function of `HL1MDLLoader.cpp` within Assimp's Half-Life 1 MDL Loader. Affected versions are up to and including 6.0.4. The attack requires local access with low privileges and no user interaction. The exploit is publicly available. The CVSS 4.0 vector is AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/E:P, yielding a base score of 1.9 (LOW severity). The vulnerability does not affect system confidentiality, integrity, or availability scope (SC:N/SI:N/SA:N).

Defensive priority

low

Recommended defensive actions

• Upgrade Assimp to a version newer than 6.0.4 when available, or apply patches from the project maintainers referencing the reported issue.
• Restrict local access to systems processing untrusted Half-Life 1 MDL files to trusted users only.
• Monitor the assimp/assimp GitHub repository for security updates and patch releases addressing this vulnerability.
• Validate and sanitize Half-Life 1 MDL files before processing through Assimp in production environments.
• Review application logs for anomalous crashes or memory errors in components utilizing Assimp's HL1 MDL loader.

Evidence notes

The vulnerability was reported to VulDB (submission 821190) and assigned CVE-2026-10230. The issue was tracked as GitHub issue #6615 in the assimp/assimp repository. The project tagged the issue as a bug. The CVSS 4.0 score of 1.9 reflects the local attack vector and limited impact scope.

Official resources